Wireshark · Ethereal-users: Re: [Ethereal-users] help

Ethereal-users: Re: [Ethereal-users] help

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Martin Regner" <martin.regner@xxxxxxxxx>

Date: Fri, 27 Dec 2002 19:40:59 +0100

Steve More wrote:

<I just installed Ethereal and capturing packets just fine. My question is: Where can I find good detailed info about setting up display filters and <capture filters.

Q 5.3: I can set a display filter just fine, but capture filters don't work.

A: Capture filters currently use a different syntax than display filters. Here's the corresponding section from the ethereal(1) man page:

"Display filters in Ethereal are very powerful; more fields are filterable in Ethereal than in other protocol analyzers, and the syntax you can use to create your filters is richer. As Ethereal progresses, expect more and more protocol fields to be allowed in display filters.

Packet capturing is performed with the pcap library. The capture filter syntax follows the rules of the pcap library. This syntax is different from the display filter syntax."

The capture filter syntax used by libpcap can be found in the tcpdump(8) man page.

http://www.ethereal.com/faq.html#q5.3

Capture filters:

===========

Check out the tcpdump manual

http://www.ethereal.com/tcpdump.8.html

There is also a capture filter guide here:

http://home.insight.rr.com/procana/index.html

I normally use capture filters like:

host 10.10.10.20 and ip

tcp port 5020

host 10.10.10.20 and udp

udp port 1720

and similar.

Display filters:

==========

Display filters are normally more powerful that capture filters in most cases. You can filter
on high-level protocols.

If you mark one TCP packet you can filter out that TCP stream with Tools/Follow TCP stream.
It's a functionality I'm using often. It will result in a filter looking something like this:
(ip.addr eq 10.10.10.21 and ip.addr eq 10.10.10.29) and (tcp.port eq 6000 and tcp.port eq 1162)

If you mark a row in any packet - you can normally get a display filter by using Display/Match/Selected or Display/Prepare/Selected.
That's probably one of the easiest ways of getting a capture filter.
For example if you mark the line "Destination port: 80" in the TCP header of a packet and use Display/Prepare/Selected
you will get a display filter "tcp.dstport == 80" in the bottom of the Ethereal windows and then it's just to pres "Apply"
or modify the filter.
If you want to search for packets to or from port 80 you could e.g. use a filter "(tcp.dstport == 80) or (tcp.srcport == 80)"
But if the field is not a searchable field then ethereal will create a filter of the type frame[x:y] == .... and
then it may not be so useful.

Another way of creating display filters is the Edit/Display Filters.../Add _expression_.
There you can select the protocol and will be able to see what you can filter on for each protocol.

For more information see the (not completely up-to-date) user-guide:

http://www.ethereal.com/docs/user-guide/ch03dispfilt.html

The Ethereal user guide

http://www.ethereal.com/docs/user-guide/

includes information about the searchable fields for different protocols, e.g.
http://www.ethereal.com/docs/user-guide/sidtransmissioncontrolprotocol.html (TCP)

http://www.ethereal.com/docs/user-guide/sidlightweightdirectoryaccessprotocol.html (LDAP)

Prev by Date: [Ethereal-users] help
Next by Date: [Ethereal-users] capture does not see interfaces using 0.98
Previous by thread: [Ethereal-users] help
Next by thread: [Ethereal-users] Ethereal-users digest, Vol 1 #995 - 1 msg
Index(es):
- Date
- Thread