Filtering while capturing, Section 4.8, “filtering while cap, Turing – Lucent Technologies Ethereal User Manual

Page 86: Section 4.8, “filtering, While capturing

Advertising
background image

4.8. Filtering while capturing

Ethereal uses the libpcap filter language for capture filters. This is explained in the tcpdump man
page, which can be hard to understand, so it's explained here to some extent.

Tip!

You

will

find

a

lot

of

Capture

Filter

examples

at

ht-

tp://wiki.ethereal.com/CaptureFilters

.

You enter the capture filter into the Filter field of the Ethereal Capture Options dialog box, as shown
in

Figure 4.2, “The "Capture Options" dialog box”

. The following is an outline of the syntax of the

tcpdump capture filter language. See the expression option at the tcpdump manual page for details:

http://www.tcpdump.org/tcpdump_man.html

.

A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/
or) and optionally preceded by not:

[not] primitive [and|or [not] primitive ...]

An example is shown in

Example 4.1, “ A capture filter for telnet than captures traffic to and from a

particular host ”

.

Example 4.1. A capture filter for telnet than captures traffic to and from a
particular host

tcp port 23 and host 10.0.0.5

This example captures telnet traffic to and from the host 10.0.0.5, and shows how to use two primit-
ives and the and conjunction. Another example is shown in

Example 4.2, “ Capturing all telnet

traffic not from 10.0.0.5”

, and shows how to capture all telnet traffic except that from 10.0.0.5.

Example 4.2. Capturing all telnet traffic not from 10.0.0.5

tcp port 23 and not host 10.0.0.5

XXX - add examples to the following list.

A primitive is simply one of the following:

[src|dst] host <host>

This primitive allows you to filter on a host IP address or
name. You can optionally precede the primitive with the
keyword src|dst to specify that you are only interested in
source or destination addresses. If these are not present, pack-
ets where the specified address appears as either the source or
the destination address will be selected.

ether [src|dst] host <ehost>

This primitive allows you to filter on Ethernet host addresses.

Capturing Live Network Data

72

Advertising
Popular Brands
Popular manuals