Wireshark · Ethereal-users: Re: [Ethereal-users] Question about Ethereal filters

Ethereal-users: Re: [Ethereal-users] Question about Ethereal filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Thu, 9 Jan 2003 11:23:23 -0800

On Thu, Jan 09, 2003 at 12:22:49PM -0500, Robert Casto wrote:
> I found the cfilters and dfilters files under my Application
> Data\Ethereal directory. I would like to use configuration files for
> Tethereal instead of having to do command line.

Then you will have to write code to support it.  The only place where
you can currently use named filters in Ethereal/Tethereal is in the
"Display Filter" dialog box - you can click on one of the named filters
and retrieve its filter string, and then apply that filter string. 
There is no such mechanism in Tethereal; you have to specify the filter
string to Tethereal.

> Can I put multiple
> filter lines in the files and then specify Tethereal to use them?

No.

> Or is
> there a way I can specify multiple capture and display filters for
> Tethereal?

No, but there's no way to do it in Ethereal, either.

> I am trying to see if there is a way to specify multiple
> capture filter strings

Neither Ethereal nor Tethereal support multiple capture filter strings
in a single capture.

However, the libpcap capture filter language, which both of them use (as
does tcpdump, and as do a lot of *other* capture programs), *does*
support the "and" and "or" operators, so, for example, if you have two
capture filter strings and you only want to capture packets that match
both filter strings, you do that by using

	{filter string one} and {filter string two}

e.g.

	host foo.bar.com and tcp port 17

> along with multiple display strings to Tethereal to control its out
> put.

Ethereal and Tethereal don't support multiple display filter strings,
either - but, again, tehre are "and" and "or" operators.

> Otherwise I will have to filter out the info I
> don't want after specifying the packets I want captured.

If the filter expression specifying the info you don't want can be
expressed as a capture filter, use, as a capture filter:

	{packets I want captured} and not {info I don't want}

If the filter expression specifying the info you don't want *can't* be
expressed as a capture filter, but *can* be expressed as a display
filter, use the capture filter as the capture filter expression and use
"not" followed by the expression specifying the info you don't want as a
read filter expression:

	tethereal -R "not {info I don't want}" {packets I want captured}

References:
- [Ethereal-users] Question about Ethereal filters
  - From: Robert Casto

Prev by Date: [Ethereal-users] Question about Ethereal filters
Next by Date: Re: [Ethereal-users] Filtering options in Tethereal
Previous by thread: [Ethereal-users] Question about Ethereal filters
Next by thread: [Ethereal-users] filtering question - MS login ip:s
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$