Ethereal-users: Re: [Ethereal-users] Capture Filter Primer

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 4 Aug 2002 14:00:32 -0700
On Sun, Aug 04, 2002 at 02:47:59PM -0400, MH wrote:
> I just put up a capture filter primer for Ethereal on my webpage if anyone 
> is interested.

Actually, much of it is really a capture filter primer for libpcap, so
much of it is really also a capture filter primer for tcpdump/WinDump,
and for any other programs that use libpcap's capture filter mechanism. 
(The only Ethereal-specific parts are the third page, and the parts of
the second page that talk about filter names.)

Note that using "ether[]" is probably not a good idea when trying to
filter on TCP payload, as in the SMTP examples.  There is no *perfect*
way to do that, as the libpcap filter code doesn't support filtering on
TCP payload (so it can't deal with variable-length TCP headers), but
using, say

	tcp[20:4]=0x48454C4F

to look for HELO handles non-Ethernet link layers, and variable length
IP headers (headers with IP options), whereas

	ether[54:4]=0x48454C4F

doesn't.

(Libpcap also currently doesn't handle variable-length link-layer
headers, so it can't handle all 802.11 frames, for example; that may
change at some point.)

The tcpdump man page on the Ethereal Web site is probably the tcpdump
3.4 man page; more recent versions have some more tutorial information
on constructing filters in the man page - see, for example

	http://windump.polito.it/docs/manual.htm

(the current WinDump is based on tcpdump 3.6.2), which has a section
with the title "Capturing TCP packets with particular flag combinations
(SYN-ACK, URG-ACK, etc.)".

Some other notes:

For protocols that are in the "/etc/services" file on UNIX (or whatever
its equivalent is on Windows), or in the corresponding NIS maps on OSes
where "getservbyname()" uses NIS, you can use the protocol name, e.g.

	port domain
	port smtp
	port ftp
	port telnet
	port pop3
	port snmp or port snmptrap

rather than

	port 53
	port 25
	port 21
	port 23
	port 110
	port 161 or port 162

To check for IGMP, "ip proto igmp" should work, on at least newer
versions of libpcap; you might have to do "ip proto 2" on older
versions.  To check for EGP, you can just do "ip proto 8".  I.e., you
don't have to check "ip[9]", you can just us "ip proto".

If you want to filter for Ethernet multicast packets, "ether multicast"
will work, and "ip multicast" will check for IP multicasts - and there's
also "ip6 multicast" in newer versions of libpcap.