Ethereal-users: Re: [Ethereal-users] Capture Filter with multiple exclusions?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Perry T. George" <ptgeorge@xxxxxxxxxxx>
Date: Sun, 8 Sep 2002 12:02:34 -0500
What I'm saying is that filters written in the prescribed manner sometimes
produce syntax errors on my Win XP system depending on the combination of,
in this case, protocols.  For example:

host 10.0.0.3 and not arp

host 10.0.0.3 and not icmp

host 10.0.0.3 and not icmp and not arp

All work while:

host 10.0.0.3 and not arp and not smtp

host 10.0.0.3 and not bootp

produce syntax errors

So...specifying some protocols and some combinations of protocols produce
syntax errors on my machine.  All of the mentioned protocols are present  in
my data stream and all protocols are enabled under Ethereal.


----- Original Message -----
From: "Guy Harris" <gharris@xxxxxxxxx>
To: "Perry T. George" <ptgeorge@xxxxxxxxxxx>
Cc: <ethereal-users@xxxxxxxxxxxx>
Sent: Sunday, September 08, 2002 4:24 AM
Subject: Re: [Ethereal-users] Capture Filter with multiple exclusions?


> On Sun, Sep 08, 2002 at 12:19:01AM -0500, Perry T. George wrote:
> > 1)  How do I specify a Capture Filter with multiple exclusions?
> >
> >          e.g. host 10.0.0.xxx and not arp and not bootp
>
> By saying
>
> host 10.0.0.xxx and not arp and not bootp
>
> (where "xxx" would have to be a number between 0 and 255, of course), as
> per various examples in the tcpdump man page:
>
> http://www.ethereal.com/tcpdump.8.html
>
> (as linked to by the "CAPTURE FILTER SYNTAX" section of the on-line
> Ethereal man page:
>
> http://www.ethereal.com/ethereal.1.html
>
> ), such as
>
> More complex filter expressions are built up by using the words
> and, or and not to combine primitives.  E.g., `host foo and not
> port ftp and not port ftp-data'.  To save typing, identical
> qualifier lists can be omitted.  E.g., `tcp dst port ftp or
> ftp-data or domain' is exactly the same as `tcp dst port ftp or
> tcp dst port ftp-data or tcp dst port domain'.
>
> > 2) How long (how big) can I reasonably let Ethereal run in Capture
> > mode if I don't specify a max value? Can it write a file in progress
>
> That's all it does - Ethereal has no in-memory buffer that it fills up
> with captured data (other than the buffer used by the "standard I/O"
> library it uses to write to files, but when that fills, the I/O library
> just writes stuff out and empties the buffer).
>
> The limit would be imposed by the maximum file offset size in Ethereal
> and in that I/O library, which is probably a limit of 2GB on most
> machines.
>
>