Ethereal-users: Re: [Ethereal-users] Capture Filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: James Fields <jvfields@xxxxxxx>
Date: Thu, 26 Jun 2003 12:43:36 -0000
The same holds true for Packetyzer, which I gather uses Ethereal under
the covers as an analysis engine, but which seems to use the same syntax
for capture and display filters.

On Thu, 2003-06-26 at 08:19, mike wrote:
> Hi Guy,
> 
> You're certainly right that the syntax etc is all based on bpf/libpcap. A 
> great deal of my capturing is done with tcpdump on IDSes or non-X machines  
> and I use Ethereal for post capture analysis.  However, I wrote this primer 
> because the Ethereal help for capture filters freaks a lot of people.  There 
> is only reference to the the pcap lib and tcpdump man page.  To some people 
> coming from a windows background, this just adds to the 
> confusion/frustration.  By putting up a primer that leads people through the 
> required capture syntax, my hope is that this builds understanding and 
> confidence with Ethereal's underlying capture facility (libpcap/winpcap) and 
> they will refer back to the tcpdump man page and expand on what they learned 
> from my page.  This is why at the beginning of my primer, I refer people to 
> the tcpdump man page as the complete source of information.
> I understand that these filters can be used for so many other programs.  While 
> snort can take capture filter files and command line filters,  it also 
> provides people with the ability to avoid this by using custom rulesets with 
> simple keywords in place of capture syntax.   My preference was to narrow it 
> down to just 'naming' Ethereal because this seems to be where a great deal of 
> cross-over with the windows community occurs and most of the confusion with 
> capture filters. 
> 
> Thanks,
> Mike
> 
> 
> On Wednesday 25 June 2003 02:45 pm, Guy Harris wrote:
> > On Wednesday, June 25, 2003, at 11:28AM, mike wrote:
> > > I have a capture filter primer on my website:
> > > http://home.insight.rr.com/procana
> >
> > You might want to rename it "Designing Capture Filters for
> > tcpdump/Ethereal/Snort/etc.", as it applies to any program using
> > libpcap, not just Ethereal.
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
-- 
James V. Fields