On Mon, Apr 23, 2001 at 09:51:42PM -0400, Mike wrote:
> Let me start off by saying Ethereal is a great piece of software...I
> was just wondering if anyone else has noticed the rather buggy Capture
> Filter? Entering an expression string like you would at the command line
> with tcpdump causes some problems at times.
Entering the expression string where? On the command line, with the
"-f" flag? Or in the "Filter:" text entry box in the "Capture
Preferences" dialog box? Or in the "Filter string:" text entry box in
the "Edit Capture Filter List" dialog box?
And what are the problems?
> I made a mistake entering a
> filter string..fixed the mistake but Ethereal wouldn't take it. After I
> closed and re-opened the program it worked just fine. Is this being
> addressed?
If you mean that you entered an incorrect capture filter expression in
the "Filter:" text entry box in the "Capture Preferences" dialog box,
tried to start a capture, got an error message box, dismissed the error
message box, fixed the filter expression, and then got an error message
box complaining about the filter expression when you tried to start a
capture, yes, this has been addressed...
...in libpcap 0.6.2; it's not a bug in Ethereal, it's a bug in the
libpcap library, and Ethereal can't work around it.
The bug is that the filter expression parser in libpcap doesn't properly
clear out the lexical analyzer when it encounters an error; this may
leave some junk around for it to read next time it's called, so that,
instead of seeing just the new filter expression, it sees the left-over
junk followed by the new filter expression, and thus probably sees what
looks like a bad filter expression.
It doesn't show up in tcpdump because tcpdump isn't interactive, and
if the filter expression given to tcpdump is bad, tcpdump exits, rather
than letting you type in a new filter expression. It shows up in
Ethereal because you can do more than one capture in one instance of
Ethereal.
