On Thu, Aug 12, 1999 at 10:53:47AM -0500, Paul L. Lussier wrote:
>
>
>
> Hi all,
>
> I'm playing around with ethereal, and just trying to get used to it.
> However,
> I apparently don't quite understand how to write effective filters.
>
> For example, I wanted to snoop myself telnetting from my laptop to my Sun.
> If I use 'tcp port 23' as a filter, I see all that gets sent from the Sun,
> but
> nothing that gets sent from the laptop. So, I'm assuming that telnet is
> going
> out on a different port than 23. So I tried to modify the filter to be
> things
> like:
>
> tcp port >= 23 and tcp port <= 1024
> tcp port > 22
>
> and other various things, and each returns the error:
>
> Unable to parse filter string!
Remember, capture filters use tcpdump-like filters. The manpage for
tcpdump says that
port 23
should do what you want. It will capture packets that are going to
or coming from port 23 (tcp or udp).
Display filters (for filtering _after_ you have captured) use
a different syntax, which is explained in the ethereal manpage. In
that case,
tcp.port == 23
would filter what you want to see.
Yes, it is unfortunate that there are 2 filter languages. But until
we move from libpcap or provide some sort of translation facility,
we're stuck with 2 separate syntaxes.
--gilbert
