On Mon, May 13, 2002 at 10:05:31AM -0700, hecvillaf@xxxxxxxxx wrote:
> I also found a H.323 plugin for
> Ethereal at www.voice2sniff.org, but
> seems to work only on windows boxes,
> am I right? (hope not!)
> And is this plugin a display-filter or
> just a capture-filter?
A plugin is not a filter of any sort.
A plugin is a dissector for a protocol.
As the plugin adds support for new protocols, it adds new display filter
capabilities - I don't know what the names of the protocols for which
you can filter are.
Capture filter parsing is not implemented in code in Ethereal; it's
implemented in code in libpcap/WinPcap. Capture filters are compiled
into programs for a simulated machine; those programs are limited in
what they can do (given that they are, on many platforms, shoved into
the OS kernel, to filter packets out *before* being copied into the
process's address space), so the plugin does not, and cannot, add a
capture filter capability to filter for VoIP traffic.
About the best you could do would be to determine the TCP and UDP ports
being used for the VoIP traffic, and filter on those. If dynamically
assigned ports are in use, you're out of luck.
Tethereal, at least, *does* allow you to use a display filter to control
which packets are written to a capture file; you could do
tethereal -w {capture file name} -R {display filter}
Note, however, that this requires Tethereal to dissect *every single
packet that it captures* and evaluate the display filter expression;
this may or may not cause it to take too much time to process the
packet, and therefore cause it not to be able to process packets as fast
as they arrive, and therefore cause it to drop packets. I don't know
what rate of incoming traffic Tethereal would be able to handle in that
situation.
