Thank you.
I wanted to capture coordinated traceroutes actually using Ethereal.
If I can pick up two ICMP messages withing say 5 seconds ,it would be a
great help. And yes ,ICMP Echo requests would be fine . How can I use
tethereal to capture these kind of packets ?
Thanks again ,
Kamath.
----- Original Message -----
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wednesday, July 18, 2001 9:40 pm
Subject: Re: [Ethereal-users] tethereal for selective capture
> > I would like to use tethereal on Linux to capture selective
> capture
> > i.e to say tethereal would go on capturing traffic but would
> only
> > output the filtered packets on to a file.
>
> Tethereal (like tcpdump and snoop) runs in one of two modes:
>
> captures packets and prints a dissection of the packet to the
> standard output, but doesn't write the packets to a file;
>
> captures packets and writes them to a file, but doesn't print a
> dissection of them.
>
> In either case, the capture filter specifies which packets are to be
> printed or written to the file.
>
> So the way you'd do that with Tethereal would be the same as you'd
> do it
> with tcpdump or snoop - do
>
> tethereal -i <interface> -w <file> <filter expression>
>
> where <interface> is the name of the interface on which you want to
> capture (or, with libpcap 0.6.2 and recent versions of Ethereal,
> you can
> use "all" on Linux to capture from all interfaces), <file> is the file
> to which to write the captured packets, and <filter expression> is the
> filter expression to use.
>
> > I am interested in traceroutes and ARP packets to be handled
> this way.
>
> Traceroutes are difficult to identify, unless the traceroute is using
> ICMP ECHO requests rather than UDP packets to a random port number.
>
> A capture filter that would handle both ICMP and ARP packets would be
>
> icmp or arp
>
> > Are such multiple filters possible?
>
> What do you mean by "multiple filters"?
>
> If you mean a filter that matches either ICMP packets or ARP packets,
> yes, it's possible - see above.
>
