Ethereal-users: Re: [Ethereal-users] ethereal 10.3

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Richard Urwin <richard@xxxxxxxxxxxxxxx>
Date: Sun, 13 Jun 2004 17:11:05 +0100
On Sunday 13 Jun 2004 1:41 pm, Childs Rodney wrote:
> I recently downloaded a copy of you sniffer 10.3 and am attempting to
> evaluate it. For the life of me I can't figure out how to build a
> capture filter. Is there somewhere I can go to download a sample of a
> capture and a display filter ?

First off, capture filters and display filters use completely different 
syntax. The capture filter is implemented in the libpcap library, and 
is optimised for speed. The display filter is implemented within 
Ethereal itself, and is more powerful.

The capture syntax is somewhat complex. It is described in detail on the 
ethereal web site. Otherwise search the archives of this list for 
"capture filter"; it's a question that comes up very frequently.

As a starter, to filter packets to or from a given address:

capture:  ip host 123.4.5.6
display:   ip.addr == 123.4.5.6

-- 
Richard Urwin