ddstock@xxxxxxx wrote:
> I have difficulty with tethereal filter syntax.
No, it's a problem withTetheral's command-line syntax in general.
When using tethereal, if
> I specify primitive 'host' followed by IP address, tethereal behaves
> correctly and captures packets only to/from that host. However if I
> specify additional command line options for tethereal, then the filter
> syntax is failed and therefore the capture failed. Example :
>
> tethereal host 192.168.1.100
>
> The above works fine. However the following variation with additional
> options fails :
>
> tethereal host 192.168.32.131 -a filesize:10000 duration:15 -w ethcap1
> tethereal: Unable to parse capture filter string (syntax error).
Yes, the filter expression
host 192.168.32.131 -a filesize:10000 duration:15 -w ethcap1
is not syntactically valid; that's what you told Tethereal to use.
In UN*X command-line syntax (which is what Ethereal and Tethereal use,
even on Windows), a command consists of a command name, followed by zero
or more "flag" arguments, followed by zero or more non-flag arguments.
A "flag" argument is an argument beginning with "-", and followed by one
or more one-character flag names; if the flag takes a parameter, the token
after it will be used as the parameter for that flag argument, rather than
being treated as a flag or a non-flag argument. A flag takes only *one*
parameter, if it takes any at all.
The first argument that doesn't begin with a "-" is the first non-flag
argument, and it and *all* other arguments after it are non-flag
arguments.
Tethereal (like tcpdump) concatenates all its non-flag arguments, with
spaces between them, and uses that as the capture filter expression.
So
tethereal host 192.168.1.100
has no flag arguments, and two non-flag arguments, which are concatenated
to form the capture filter expression "host 192.168.1.100", and
tethereal host 192.168.32.131 -a filesize:10000 duration:15 -w ethcap1
*also* has no flag arguments, and 7 non-flag arguments, which are
concatenated to form the syntactically illegal capture filter expression
"host 192.168.32.131 -a filesize:10000 duration:15 -w ethcap1".
tethereal -a filesize:10000 duration:15 -w ethcap1 host 192.168.32.131
has one flag argument, "-a filesize:10000", and 5 non-flag arguments; as
no "-w" argument was specified (remember, the first non-flag argument -
which is "duration:15" here; remember, a flag argument can take only one
parameter - ends the list of flag arguments, so "-w ethcap1" is two
non-flag arguments, not a flag argument), there is no file whose size
"filesize:10000" refers to, so it gets an error:
tethereal: Maximum capture file size specified, but capture isn't
being saved to a file.
However,
tethereal -a filesize:10000 -a duration:15 -w ethcap1 host 192.168.32.131
has *three* flag arguments, "-a filesize:10000", "-a duration:15", and "-w
ethcap1", and two non-flag arguments, which are concatenated to form the
capture filter expression "host 192.168.32.131". That's probably what you
want.
(Perhaps this is not intuitively obvious, but it is, for better or worse,
The Way Things Work on UN*Xes, so it's not going to change.)