Ethereal-users: RE: [Ethereal-users] capture filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Burgess, Jeffrey T" <jburgess@xxxxxxx>
Date: Mon, 3 May 2004 17:57:09 -0400
 The windows version of the docs wouldn't come up on windump...

 So do I put 'tcpdump host xxx.xxx.xxx.xxx' in the capture filter line?

 I tried 'ip host src or dst xxx.xxx.xxx.xxx' but it wouldn't parse it, got
an error...

 J~



-----Original Message-----
From: Guy Harris [mailto:gharris@xxxxxxxxx] 
Sent: Monday, May 03, 2004 5:44 PM
To: ethereal-users@xxxxxxxxxxxx
Cc: jburgess@xxxxxxx
Subject: Re: [Ethereal-users] capture filters

Burgess, Jeffrey T said:
> I'm now convinced the filter format is different from the display filter
set.

Yes, the Ethereal man page:

    http://www.ethereal.com/docs/man-pages/ethereal.1.html

is very convincing on that issue:

       Packet capturing is performed with the pcap library.  The capture
filter syntax follows the rules of the pcap library.  This syntax
is different from the display filter syntax.

>     I haven't found any good documentation on the capture filter.

The manual page also says

CAPTURE FILTER SYNTAX
       See the tcpdump(8) manual page.

If you're on Windows, that manual page can be found at

    http://windump.polito.it/docs/manual.htm

On UN*X, "man tcpdump" should show it to you, or you can see

    http://www.tcpdump.org/tcpdump_man.html

or

    http://www.ethereal.com/docs/man-pages/tcpdump.8.html

Look for the section starting with

        expression
              selects  which  packets  will  be  dumped.   If  no
              expression is given, all packets on the net will be
              dumped.   Otherwise, only packets for which expres-
              sion is `true' will be dumped.

Note, however, that new capabilities have been added to the filtering
language over time, so a given man page might describe stuff not available
in whatever version of libpcap Ethereal is using on your system, or might
not describe stuff that *is* available.

>     Can someone tell me how it should be formatted for example to
> capture data to and from a specific IP address,

In the "EXAMPLES" section of the tcpdump man page:

    To print all packets arriving at or departing from sundown:

        tcpdump host sundown

(the host can be a name or an IP address).

Note that this is a sample command line - "tcpdump" is the command, and
"host sundown" are the arguments to the command, giving the filter.  You
would use just "host sundown" with Ethereal - you would *not* put
"tcpdump" in there.

> and maybe to or from a specific subnet?

"net {network name}" if there's a name in the networks database for it,
or, at least with newer versions of libpcap/WinPcap, "net
XXX.XXX.XXX.XXX/NN", where XXX.XXX.XXX.XXX is the subnet address and NN is
the subnet mask (as a number of bits - the usual syntax).