> Hi All,
>
> I am new to ethereal sniffer.
>
> I can capture the packets using ethereal.
>
> However, I am unable to apply the capture filters.
>
> I even looked at the mailing list archives but it was of no help.
>
> Please help me out with this simple stuff.
>
> I want to capture the packets of only two protocols i.e. h225 and h245.
You can't use a capture filter to do that.
The capture filter mechanism (which is *not* part of Ethereal; it's part
of libpcap and, on many OSes, part of the OS kernel, or, in the case of
Windows, part of a device driver that gets added to the OS kernel)
compiles capture filters into a pseudo-machine-language which is
interpreted by code either in libpcap or in the OS kernel.
That machine language is very simple; it can only test the values of
1-byte, 2-byte, or 4-byte fields at various offsets in the packet. It
can't, for example, do anything that involves a loop.
The capture filter language that compiles into that machine language
supports only checking fields at fixed offsets from
the beginning of the frame;
the beginning of the IP header;
the beginning of the TCP or UDP header.
You will have to try to construct a filter expression that can recognize
H.225 and H.245 packets by checking only those fields; if that's
impossible, then setting up a capture filter for H.225 and H.245 packets
is impossible.
See the tcpdump man page on your system for a description of the syntax
of capture filters, or, if you're using Windows, check out the WinDump
man page on the site from which you downloaded WinPcap (there should be
a link to the WinDump site from the WinPcap site) - note that said site
might be down right now.
> Apart from filtering these specific protocols during capture, I also want to
> filter specific hosts.
Filtering on IP addresses is one thing that the capture filter can do
straightforwardly, with the "hosts" keyword; see the tcpdump/WinDump man
page. Filtering on H.225 or H.245 packets is probably either more
difficult or impossible.
