Ethereal-users: Re: [Ethereal-users] Strange things happen with tethereal -w option (V 0.94) on

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 3 Jul 2002 16:15:20 -0700
On Thu, Jul 04, 2002 at 08:52:54AM +1000, Tino wrote:
> The following ***works*** for sending output to the console (without the -w
> option) or to the file test.txt with the -w option.
> tethereal -n -t ad -i
> \Device\Packet_{9509DFE0-6012-4D5A-BBF7-1B1D5BAC4761} -R "(ip.src eq
> 203.13.133.164 or ip.src eq 203.13.133.165)" -w d:\test.txt

You're aware that "test.txt" will *NOT* be a text file, right?  Instead,
it'll be a libpcap file that could be read by tcpdump or Ethereal or
Tethereal or....

> however, the following only works for sending the output to the console, but
> not to the file test.txt with the -w option.
> tethereal -n -t ad -i
> \Device\Packet_{9509DFE0-6012-4D5A-BBF7-1B1D5BAC4761} -R "(ip.src eq
> 203.13.133.164 or ip.src eq 203.13.133.165) and tcp.srcport eq 80 and
> tcp.flags.reset eq 1" -w d:\test.txt

What does "not" mean there?  Does it not write any packets, even if an
RST is generated?

Note that 0.9.4 (and earlier versions) had a bug, when capturing to a
file (with "-w") and using a read filter (with "-R"), where the packet
counter would be incremented for any packet that arrived, regardless of
whether the packet actually passed the read filter and got written to
the capture file or not.

So if you saw a non-zero packet count when doing a "-w" capture with a
read filter, that didn't guarantee that if you interrupted Tethereal
there would actually be packets in the capture file.

Furthermore, there was another bug in 0.9.4 (and some earlier versions)
where Tethereal, on Windows, would crash if you tried to interrupt it
with ^C.

Both of those bugs should be fixed in 0.9.5; if the problem is that you
run

	tethereal -n -t ad -i
	\Device\Packet_{9509DFE0-6012-4D5A-BBF7-1B1D5BAC4761} -R "(ip.src eq
	203.13.133.164 or ip.src eq 203.13.133.165) and tcp.srcport eq 80 and
	tcp.flags.reset eq 1" -w d:\test.txt

and it showed a non-zero packet count, but you interrupted it and there
weren't any packets in the capture, try installing 0.9.5 and running
that.

Note also that, although the syntax isn't as convenient, capture filters
are more efficient than read filters - especially on platforms,
including Windows, where the filtering is done in the OS kernel.  The
equivalent capture filter would be

	(host 203.13.133.164 or host 203.13.133.165) and tcp src port 80
	    and tcp[13] & 0x02 != 0

That should work even with 0.9.4.