Ethereal-dev: Re: [ethereal-dev] Syntax for capture filter (Truth in advertising?)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Gilbert Ramirez Jr." <gram@xxxxxxxxxx>
Date: Mon, 19 Jun 2000 15:28:07 -0400
On Mon, Jun 19, 2000 at 06:09:57PM +0100, Ben Fowler wrote:
> At 08:56 AM 6/19/00, Guy Harris wrote:
> >On Mon, Jun 19, 2000 at 07:31:50AM +0100, Ben Fowler wrote:
> > > That is very helpful. I saw this note (earlier) and restarted ethereal
> > > to try again before posting; but it still didn't work.
> >
> >If it doesn't work, then either
> >
> >         1) Ethereal isn't linked with the same version of libpcap that
> >            tcpdump is, and the version of libpcap with which it's linked
> >            has a bug in its capture-filter parser
> >
> >or
> >
> >         2) somehow your version of Ethereal isn't passing the filter
> >            string correctly to "pcap_compile()" in libpcap
> 
> 
> The operative cause of the problem was that I had
>        tcp port 80 OR tcp port 3128
> in the filters dialogue, and this was sufficient to
> prevent the filter working, without unfortunately alerting
> me to the problem
> 
> Since compatibility with tcpdump is a useful feature and starting
> point, I am not suggesting that case sensitivity be changed;
> but it might be an idea to add a note in the documentation,
> as upper case for logical operators seems natural.

But the point is that Ethereal just passes the capture filter string to
libpcap, in the same way that tcpdump does. So as long as Ethereal and
tcpdump are using the same libpcap (see Guy's #1 above), Ethereal will have
"compatibility with tcpdump". Now, if Guy's #2 above is somehow correct,
then we do have a problem to fix.

--gilbert