Ethereal-users: Re: [Ethereal-users] capture filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 17 Feb 2004 22:33:56 -0800
On Mon, Feb 16, 2004 at 09:04:22PM -0600, Phil Reinemann wrote:
> The documentation says to use periods for the delimiters.
> I found that on WIN32 (W98SE) that to get a capture filter to work for a 
> MAC one must use the following:
> "ether host tt:uu:ww:xx:yy:zz" minus the quotation marks. In other words, 
> use colons, even though Ethereal documentation shows MACs with periods.

To which Ethereal documentation *on capture filters* are you referring? 
Note that the "ethereal-filter" man page describes display filters,
*not* capture filters - and that it says

       Ethernet addresses, as well as a string of bytes, are  
       represented in hex digits.  The hex digits may be
       separated by colons, periods, or hyphens:

           fddi.dst eq ff:ff:ff:ff:ff:ff
           ipx.srcnode == 0.0.0.0.0.1
           eth.src == aa-aa-aa-aa-aa-aa

(Ethereal display filters allow any of those; libpcap capture filters
require colons).

> "ether" and "host" also both seem to be necessary.

The tcpdump man page discusses that part:

	      ether host ehost
		     True if either the ethernet source or desti-
		     nation address is ehost.