Wireshark · Ethereal-users: RE: [Ethereal-users] RE: Packet capture doesn't work?

Ethereal-users: RE: [Ethereal-users] RE: Packet capture doesn't work?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Fri, 8 Mar 2002 12:03:20 -0800

At this point I'm about ready to write some!  Maybe an Ethereal capture
howto or something...

Actually, there seem to be some bugs in Ethereal related to this issue.  I
think they caused me as much or more confusion than the documentation.  I
have no idea if they're already known issues but here goes...

First, I'm running on Windows NT 4.0 with winpcap version 2.2.  No idea if
this would happen on other versions.

As an example of this bug, open ethereal and go to Capture->Start put in a
filter of "ip proto \udp".  Things work, woo hoo.  Now go back to
Capture->Start again after stopping the capture.  Put in a filter of "ip
proto udp".  There will be a parse error.  Now, go back to capture start and
put in "ip proto \udp" again.  This time if you have traffic to sniff,
you'll see your filter didn't work properly.  (You can try any filter you
want at this point and some will give parse errors, others will just plain
do weird stuff)

This happens because Ethereal (or something under it) seems to get its
capture string messed up after each return of "Unable to parse filter string
(parse error)."  Once you've put in one bad capture filter, you have to
restart Ethereal to get things straitened out.

You can see how this would be particularly confusing to someone just
learning how to input proper capture filters using only the tcpdump man
page...  Till it gets fixed, one or two lines in the FAQ would do wonders.

Thanx,
-Bob
beby@xxxxxxxxxxxx

>-----Original Message-----
>From: Guy Harris [mailto:guy@xxxxxxxxxx]
>Sent: Friday, March 08, 2002 1:37 AM
>To: beby@xxxxxxxxxxxx
>Cc: ethereal-users@xxxxxxxxxxxx
>Subject: Re: [Ethereal-users] RE: Packet capture doesn't work?
>
>
>On Thu, Mar 07, 2002 at 05:52:47PM -0800, beby@xxxxxxxxxxxx wrote:
>> However, I would still like to request someone update Q4.3
>in the FAQ to
>> mention these type of issues... Why?  Because this problem
>was almost enough
>> to get me to forget about Ethereal, and start using MS
>NETMON and associated
>> tools instead.  Perhaps just pointing out a couple better
>sources of docs on
>> tcpdump than the man page would be enough.
>
>I, at least, don't know of any better documentation, which is why I
>haven't put any links to them.  If you know of any, let us know....
>

Follow-Ups:
- Re: [Ethereal-users] RE: Packet capture doesn't work?
  - From: Guy Harris

Prev by Date: [Ethereal-users] using ethereal
Next by Date: Re: [Ethereal-users] RE: Packet capture doesn't work?
Previous by thread: Re: [Ethereal-users] RE: Packet capture doesn't work?
Next by thread: Re: [Ethereal-users] RE: Packet capture doesn't work?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$