Ethereal-dev: Re: [ethereal-dev] Syntax for capture filter (Truth in advertising?)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Mon, 19 Jun 2000 13:07:32 -0700 (PDT)
> The operative cause of the problem was that I had
>        tcp port 80 OR tcp port 3128
> in the filters dialogue, and this was sufficient to
> prevent the filter working, without unfortunately alerting
> me to the problem
> 
> Since compatibility with tcpdump is a useful feature and starting
> point,

If "tcp port 80 OR tcp port 3128" gets an error from Ethereal, it *IS*
compatible with tcpdump, at least in the version we have here, which is
essentially standard tcpdump 3.4 and libpcap 0.4:

	tooting# tcpdump -i hme0 'tcp port 80 OR tcp port 3128'
	tcpdump: parse error
	tooting# tcpdump -i hme0 'tcp port 80 or tcp port 3128'
	tcpdump: listening on hme0

This is, as per my earlier mail, not surprising, given that neither
Ethereal nor tcpdump parses capture filter expressions - they both just
pass it on to the same routine in libpcap, "pcap_compile()".

Perhaps the tcpdump you have is linked with a libpcap library that
*does* allow upper-case Boolean operators, in which case, to make
Ethereal compatible with it, you'd need to link Ethereal with that
library as well.