Jeff Davis wrote:
Still trying to chase down virus-infected host(s)...
Need to filter out specific http get requests for specific file names.
Or should this be done in a display filter...
Capture filters have very limited capabilities (deliberately limited, so
they can be implemented by small "programs" loaded into the kernel, with
a simple checker in the kernel that can make sure the programs are safe;
that way, packets can be discarded fairly close to the point of
reception, so they're not processed further in the kernel, and not
copied up to userland, saving a fair bit of CPU time). Looking for HTTP
GET requests for specific file names would be difficult.
I'd suggest doing that in a display filter - or, perhaps, with an
intrusion detection system such as Snort:
http://www.snort.org/
which has a language for writing rules for matching packets; that
language is presumably designed to allow faster matching than the
Ethereal display filter matching (it's not as powerful as Ethereal's
display-filter matching, as far as I know, but is probably faster), but
to allow more capabilities than libpcap capture filters.
Ethereal's not designed to be, and not intended to be used as, an IDS.
Snort is.