Hi Guy,
You're certainly right that the syntax etc is all based on bpf/libpcap. A
great deal of my capturing is done with tcpdump on IDSes or non-X machines
and I use Ethereal for post capture analysis. However, I wrote this primer
because the Ethereal help for capture filters freaks a lot of people. There
is only reference to the the pcap lib and tcpdump man page. To some people
coming from a windows background, this just adds to the
confusion/frustration. By putting up a primer that leads people through the
required capture syntax, my hope is that this builds understanding and
confidence with Ethereal's underlying capture facility (libpcap/winpcap) and
they will refer back to the tcpdump man page and expand on what they learned
from my page. This is why at the beginning of my primer, I refer people to
the tcpdump man page as the complete source of information.
I understand that these filters can be used for so many other programs. While
snort can take capture filter files and command line filters, it also
provides people with the ability to avoid this by using custom rulesets with
simple keywords in place of capture syntax. My preference was to narrow it
down to just 'naming' Ethereal because this seems to be where a great deal of
cross-over with the windows community occurs and most of the confusion with
capture filters.
Thanks,
Mike
On Wednesday 25 June 2003 02:45 pm, Guy Harris wrote:
> On Wednesday, June 25, 2003, at 11:28AM, mike wrote:
> > I have a capture filter primer on my website:
> > http://home.insight.rr.com/procana
>
> You might want to rename it "Designing Capture Filters for
> tcpdump/Ethereal/Snort/etc.", as it applies to any program using
> libpcap, not just Ethereal.
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users