> > If you used a read filter, you *have* learned the display filter
> > language, because read filters use the display filter language, not the
> > "tcpdump" capture filter language.
>
> Hmmm....I was sure I was doing this from the command line, so I guess I
> was using the display filter language without realizing it.
Yes, you can either do
-R <display filter expression>
from the command line, along with "-r <file name>", or you can specify
the read filter in the "Open Capture File" dialog box.
> Are they really that close to each other? E.g., does "host foo and [host]
> bar" work for both display and capture filtering?
No.
If you're starting a capture from the command line with the "-k" flag
(and the "-i" flag to specify the interface - we currently require that,
rather than defaulting to the first interface in the interface list),
you can specify a capture filter on the command line with the "-f" flag.
However, if you've specified a capture filter, there's nothing you can
do in Ethereal to see the packets it rejected - Ethereal doesn't have
those packets to display.
In addition, if you're reading an existing capture file with "-r",
rather than doing a capture from the command line, the capture filter
has no effect.
> That's perfectly fine. About the only time I use tcpdump any more is
> when I'm telnetted into a remote machine and need to do a packet capture
> on that machine's LAN. (I capture to a dump file and then use Ethereal
> locally to analyze it.)
Eventually, there may be a "line-mode" version of Ethereal, that would
probably behave somewhat like "tcpdump" or "snoop".