Wireshark · Wireshark-users: Re: [Wireshark-users] [Ethereal-users] tethereal capture filter for multiple ports

Wireshark-users: Re: [Wireshark-users] [Ethereal-users] tethereal capture filter for multiple por

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Mon, 21 Aug 2006 15:33:11 -0700


On Aug 21, 2006, at 10:13 AM, Tom wrote:

-------------------
The Ethereal project is being continued at a new site.  Please go to

http://www.wireshark.org and subscribe to wireshark-users@xxxxxxxxxxxxx.

Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

Hi, I am looking for the tethereal capture filter
syntax for capturing multiple ports (2 to 5 ports).

Well, tethereal's not being developed any more (as per the above), butTShark is what it was renamed to, and the answer is the same for both.

With the following command, I am NOT able to capture
packets: (Note: it says it is capturing but it is
actually not capturing)

[root@root]# tethereal -f "(port 5060) and (port
8688)" -w test13.cap
Capturing on eth0


How do you know it's not capturing?

The fact that it doesn't print anything only proves it's not capturingif you have traffic on your network that's going between ports 5060and 8688. If you have traffic going *to* port 5060 but not coming*from* port 5060 or port 8688, or coming *from* port 5060 but notgoing *to* port 5060 or port 8688, or going *to* port 8688 but notcoming *from* port 5060 or port 8688, or coming *from* port 8688 butnot going *to* port 5060 or port 8688, that filter will *not* captureit.

"And" means "and" in the sense of "the packet is going to or comingfrom port 5060 *and* the *SAME* packet is coming from or going to port8688". "port X and port Y" doesn't mean "capture traffic to or fromport X and also capture traffic to or from port Y", it means "capturea packet that is, at the same time, going to or coming from port X andcoming from or going to port Y".

If you want to capture traffic to or from port X and also capturetraffic to or from port Y, that's traffic that's coming from or goingto port X *OR* coming from or going to port Y, so the filter for*that* would be


	port 5060 or port 8688

The following is a syntax error:

[root@root]# tethereal -f "(port 5060)" and "(port
8688)" -w test15.cap

The "-f" flag takes the next command-line token as the filterexpression; all subsequent command-line tokens are *NOT* part of thefilter. Thus, the argument to "-f" is "(port 5060)", and the "and"and "(port 8688)" are treated as extra arguments - and extra argumentsto tshark (and tethereal) are glued together and treated as a capturefilter, so that's "and (port 8688)", which isn't valid.

TShark needs to catch the case where you have "-f" *and* have extraarguments, and complain about that. (And tcpdump needs to printsomething more meaningful than "syntax error" in that case.)


In addition, the tshark *manual* needs to more clearly document that

	tshark port 5060 or port 8688

captures with "port 5060 or port 8688" as a capture filter.

Prev by Date: Re: [Wireshark-users] [Ethereal-users] Protocol Forcing on ethereal
Next by Date: [Wireshark-users] Michael Bellamy/EID/IRV/TOSHIBA-TABS is out of the office.
Previous by thread: Re: [Wireshark-users] [Ethereal-users] Protocol Forcing on ethereal
Next by thread: [Wireshark-users] IP Data checksum
Index(es):
- Date
- Thread