[Guy Harris <guy@xxxxxxxxxx>]

On Wed, Feb 19, 2003 at 08:36:04PM +0100, Sean Hackstein wrote:
> To make things clear :  
> I try to typ the filter direct into :
> Capture/start ->  Ethereal: Capture Options 
> Filter-> 
> 
> mybe that's wrong ? 

Given that you said, in your earlier message:

	i'm new to ethereal and didn't manage to get a display filter working
						       ^^^^^^^

either

	1) typing it into the "Filter:" field in the "Capture Options"
	   dialog box is wrong

or

	2) saying "...didn't manage to get a display filter working",
	   rather than "...didn't manage to get a *capture* filter
	   working", was wrong.  :-)

I suspect the latter was the error here.

If you want to control which packets Ethereal *captures*, rather than
the subset of the captured packets in the display, you need a capture
filter; the syntax for those is different from the syntax for display
filters (capture filters are compiled by the libpcap/WinPcap library
that Ethereal uses to do packet capture, display filters are compiled by
Ethereal).

To do a *capture* filter to check for MAC addresses beginning with
00:30:84:1c, you'd do

	ether[0:4] = 0x0030841c or ether[6:4] = 0x0030841c

(Note that in capture filters the number after the : has to be 1, 2, or 4
- you can't use 3, and you can't use a number greater than 4; capture
filters are not as general as display filters in that regard.  You just
happen to be lucky that you want to check the first 4 bytes of the
address.)