> I'm running Linux Redhat 5.2 - just grabbed the lastest version
> posted, compiled, and it runs alright - but it won't take any filters -
> it always says "filter parse error" why? I read the docs - the filter
> definition of "udp" should capture udp and "udp.port==47321 ||
> udp.port==47322" should work, right?
Nope.
That's the right syntax for a *display* filter, which limits the display
of an already-captured trace to UDP packets, or only to UDP packets to
or from ports 47321 and 47322.
However, for better or worse, right now we use "libpcap" to do packet
capture, and it has its own filter-expression parser, with a different
syntax, so the syntax for *capture* filters, which limit what packets
are put into a trace while it's being captured, is different.
The syntax is that of "tcpdump" (because "tcpdump" also uses "libpcap" -
"libpcap" is basically the packet-capture and trace-reading guts of
pre-"libpcap" "tcpdump" turned into a library).
The capture-filter equivalent of the display filter "udp" is just "udp"
- which works fine with the Ethereal I have, on Solaris 2.5.1, with a
"libpcap" whose filter parser is just the standard "libpcap" 0.4 filter
parser - but the capture-filter equivalent of
udp.port == 47321 || udp.port == 47322
is
udp port 47321 || udp port 47322
which also works here, at least.
