> I'm trying to figure out how to use ethereal. I know,
> point and click...but I'm trying to set up filters
> to only look at a specific IP address and I can't seem
> to get it to work. I create a capture filter called
> yahoo and use a string as ip.addr == x.x.x.x
>
> When I try to use the filter I get a parse error.
>
> Any ideas wht I'm doing wrong?
What you're doing wrong is assuming that capture filters and display
filters have the same syntax. Capture filters are implemented not by
Ethereal, but by the libpcap/WinPcap library Ethereal uses, so they have
the libpcap syntax, not the Ethereal display filter syntax.
That syntax is documented in the documentation for the first libpcap
application, tcpdump; WinDump is tcpdump ported to Windows, using
WinPcap (which is libpcap ported to Windows), and the WinDump
documentation can be found at
http://netgroup-serv.polito.it/windump/docs/manual.htm
Look in the section that starts with
expression selects which packets will be dumped. If no
expression is given, all packets on the net
will be dumped. Otherwise, only packets for
which expression is `true' will be dumped.
for a description of the syntax.
In particular, the syntax for capturing traffic to or from a particular
IP address is
ip host <address>
where "<address>" can either be an IP address *OR* a host name.
