Burgess, Jeffrey T said:
> I'm now convinced the filter format is different from the display filter
set.
Yes, the Ethereal man page:
http://www.ethereal.com/docs/man-pages/ethereal.1.html
is very convincing on that issue:
Packet capturing is performed with the pcap library. The capture
filter syntax follows the rules of the pcap library. This syntax
is different from the display filter syntax.
> I haven't found any good documentation on the capture filter.
The manual page also says
CAPTURE FILTER SYNTAX
See the tcpdump(8) manual page.
If you're on Windows, that manual page can be found at
http://windump.polito.it/docs/manual.htm
On UN*X, "man tcpdump" should show it to you, or you can see
http://www.tcpdump.org/tcpdump_man.html
or
http://www.ethereal.com/docs/man-pages/tcpdump.8.html
Look for the section starting with
expression
selects which packets will be dumped. If no
expression is given, all packets on the net will be
dumped. Otherwise, only packets for which expres
sion is `true' will be dumped.
Note, however, that new capabilities have been added to the filtering
language over time, so a given man page might describe stuff not available
in whatever version of libpcap Ethereal is using on your system, or might
not describe stuff that *is* available.
> Can someone tell me how it should be formatted for example to
> capture data to and from a specific IP address,
In the "EXAMPLES" section of the tcpdump man page:
To print all packets arriving at or departing from sundown:
tcpdump host sundown
(the host can be a name or an IP address).
Note that this is a sample command line - "tcpdump" is the command, and
"host sundown" are the arguments to the command, giving the filter. You
would use just "host sundown" with Ethereal - you would *not* put
"tcpdump" in there.
> and maybe to or from a specific subnet?
"net {network name}" if there's a name in the networks database for it,
or, at least with newer versions of libpcap/WinPcap, "net
XXX.XXX.XXX.XXX/NN", where XXX.XXX.XXX.XXX is the subnet address and NN is
the subnet mask (as a number of bits - the usual syntax).