Lucent Technologies Ethereal Network Card User Manual


  Open as PDF
of 199
 
4.8. Filtering while capturing
Ethereal uses the libpcap filter language for capture filters. This is explained in the tcpdump man
page, which can be hard to understand, so it's explained here to some extent.
Tip!
You will find a lot of Capture Filter examples at ht-
tp://wiki.ethereal.com/CaptureFilters.
You enter the capture filter into the Filter field of the Ethereal Capture Options dialog box, as shown
in Figure 4.2, “The "Capture Options" dialog box”. The following is an outline of the syntax of the
tcpdump capture filter language. See the expression option at the tcpdump manual page for details:
http://www.tcpdump.org/tcpdump_man.html.
A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/
or) and optionally preceded by not:
[not] primitive [and|or [not] primitive ...]
An example is shown in Example 4.1, “ A capture filter for telnet than captures traffic to and from a
particular host ”.
Example 4.1. A capture filter for telnet than captures traffic to and from a
particular host
tcp port 23 and host 10.0.0.5
This example captures telnet traffic to and from the host 10.0.0.5, and shows how to use two primit-
ives and the and conjunction. Another example is shown in Example 4.2, Capturing all telnet
traffic not from 10.0.0.5”, and shows how to capture all telnet traffic except that from 10.0.0.5.
Example 4.2. Capturing all telnet traffic not from 10.0.0.5
tcp port 23 and not host 10.0.0.5
XXX - add examples to the following list.
A primitive is simply one of the following:
[src|dst] host <host> This primitive allows you to filter on a host IP address or
name. You can optionally precede the primitive with the
keyword src|dst to specify that you are only interested in
source or destination addresses. If these are not present, pack-
ets where the specified address appears as either the source or
the destination address will be selected.
ether [src|dst] host <ehost> This primitive allows you to filter on Ethernet host addresses.
Capturing Live Network Data
72
 previous next