Ethereal-users: Re: [Ethereal-users] Some help with either Red Hat 7.2 or Windoze Ethereal.
On Sat, May 18, 2002 at 08:42:56AM -0500, Steve Shireman wrote:
> I have installed Ethereal on Windows 2000 and Windows 98 weinie
> machines, but when I run it, I can only see the traffic to and from the
> host I am on. I want to watch two other hosts communicate and capture
> the packets, for an embedded project I have designed.
This may be a switch or hub issue:
http://www.ethereal.com/faq.html#q4.1
> I try to set the filter to look at host 10.10.10.250 with:
> ip.src == 10.10.10.150
>
> but that simple filter complains of a parse error.
That's a valid filter for use *after* you've captured packets (called a
"display filter").
It's not a valid filter for use when capturing packets; those filters
are compiled by the libpcap/WinPcap library that Ethereal, tcpdump, and
a number of other programs use for capturing packets.
The tcpdump man page (on a UNIX system), or the WinDump man page (on a
Windows system; see
http://windump.polito.it/docs/manual.htm
for an on-line version) describes the syntax of those expressions; see
the section that begins with
expression
selects which packets will be dumped. If no expression is
given, all packets on the net will be dumped. Otherwise, only
packets for which expression is `true' will be dumped.
In particular, if you want to look at packets *from* host 10.10.10.250,
the expresion is
src host 10.10.10.250
although note that
src host 10.10.10.250
will not capture packets *to* host 10.10.10.250 and
ip.src == 10.10.10.250
will not display packets *to* host 10.10.10.250 - if you want traffic
from *and* to 10.10.10.250, the capture filter is
host 10.10.10.250
and the display filter is
ip.addr == 10.10.10.250
> I have set the "promiscuous" flag in the settings of Ethereal on PC.
Promiscuous mode doesn't help if you're on a switch or a dual-speed hub;
see the FAQ URL at the top of my reply.
