Ethereal-users: Re: [Ethereal-users] Capture Filter with multiple exclusions?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 8 Sep 2002 02:24:02 -0700
On Sun, Sep 08, 2002 at 12:19:01AM -0500, Perry T. George wrote:
> 1)  How do I specify a Capture Filter with multiple exclusions?
> 
>          e.g. host 10.0.0.xxx and not arp and not bootp 

By saying

	host 10.0.0.xxx and not arp and not bootp

(where "xxx" would have to be a number between 0 and 255, of course), as
per various examples in the tcpdump man page:

	http://www.ethereal.com/tcpdump.8.html

(as linked to by the "CAPTURE FILTER SYNTAX" section of the on-line
Ethereal man page:

	http://www.ethereal.com/ethereal.1.html

), such as

	More complex filter expressions are built up by using the words
	and, or and not to combine primitives.  E.g., `host foo and not
	port ftp and not port ftp-data'.  To save typing, identical
	qualifier lists can be omitted.  E.g., `tcp dst port ftp or
	ftp-data or domain' is exactly the same as `tcp dst port ftp or
	tcp dst port ftp-data or tcp dst port domain'.

> 2) How long (how big) can I reasonably let Ethereal run in Capture
> mode if I don't specify a max value? Can it write a file in progress

That's all it does - Ethereal has no in-memory buffer that it fills up
with captured data (other than the buffer used by the "standard I/O"
library it uses to write to files, but when that fills, the I/O library
just writes stuff out and empties the buffer).

The limit would be imposed by the maximum file offset size in Ethereal
and in that I/O library, which is probably a limit of 2GB on most
machines.