Ethereal-users: Re: [Ethereal-users] Capturing only filtered packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 3 Jun 2002 02:40:06 -0700
On Mon, Jun 03, 2002 at 09:12:33AM +0530, Narayan Sharma wrote:
>             If one applies a filter on Ethereal only filtered packets
> would be displayed, although internally Ethereal would capture all the
> packets it had seen.  Is there any option which allows Ethereal to
> capture absolutely only the filtered packets and nothing else.

There are two types of filter expressions in Ethereal and Tethereal:
capture filters and display filters.

Ethereal and Tethereal use the libpcap library (or, on Windows, the
WinPcap library, which is a port of libpcap to Windows, plus a driver
and library that WinPcap uses to do the capturing) to capture packets. 
That library supports filtering packets, so that only some packets are
captured.

On some OSes, that filtering is done in the OS kernel, so that packets
that don't pass the filter are not copied to user-mode code; this is
more efficient than doing the filtering in user mode.

Capture filters are not as powerful as display filters, which are the
filters to which you're referring; they have a different syntax, which
is described in the tcpdump man page (as tcpdump also uses libpcap for
capturing).

For some types of filtering, you could use a capture filter; for
example, the display filter

	ip.addr == 172.73.12.49

which looks for packets to or from IPv4 address 172.73.12.49 corresponds
to the capture filter

	host 172.73.12.49

A display filter could, in principle, be used when capturing, although
it'd require more CPU time than a capture filter, as

	1) a packet has to be copied to user-mode code before the
	   display filter can be applied;

	2) the packet has to be completely dissected in order to apply a
	   display filter to it.

However, nobody's written code to allow a display filter to be used when
capturing in Ethereal.

It *is* supported in Tethereal, however; you could do

	tethereal -w {capture file} -R {display filter}

where "{capture file}" is the pathname of the file to which to write the
capture, and "{display filter}" is a display filter expression - note
that the expression would probably have to be put in quotes if it
contains any spaces or command-interpreter special characters.