Ethereal-users: Re: [Ethereal-users] Filtering options in Tethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 9 Jan 2003 11:32:41 -0800
On Thu, Jan 09, 2003 at 10:37:19AM -0500, Robert Casto wrote:
> I notice that there are 3 locations for specifying a filter according to
> the Tethereal man pages.
> 
> -f
> -R
> last parameter to Tethereal

"-f" and "last parameter to Tethereal" (which is really "last parameters
to Tethereal", plural - as is the case with tcpdump and snoop and the
like, all the non-command-line-flag parameters are combined, with spaces
between them, to make a capture filter string) specify capture filters.

"-R" specifies a read filter, which uses display filter syntax.

> I want to be able to specify that I want to see all traffic for http,
> ftp, telnet, and a couple of other protocols. I then want to be able to
> see just http.request and http.response.

In a single run of Tethereal, I don't see why you would want to specify
that you want to see all traffic for HTTP, FTP, Telnet, and a couple of
other protocols *and* then specify that, of those packets, the only ones
you want to see are HTTP requests and responses, as the FTP, Telnet, and
other protocol packets Tethereal took the time to capture will just be
discarded.

So if you only want to see HTTP requests and responses, you could either
do

	tethereal -R "http.request or http.response"

or a slightly more optimal version, as it means Tethereal doesn't even
have to bother dissecting non-HTTP packets:

	tethereal -R "http.request or http.response" http

Now, if you want to capture, to a file, traffic for HTTP, FTP, Telnet,
and some other protocols, and then, in a *second* run of Tethereal, read
that file (rather than doing a live capture) and see only the HTTP
traffic, you'd do, in the first Tethereal run

	tethereal -w {file} tcp port 80 or tcp port 20 or tcp port 21 or
	    tcp port 23 or ...

specifying the protocols in question by port number, and then, in the
second Tethereal run, do

	tethereal -r {file} -R "http.request or http.response"

If the other protocols can't be specified by port number, or something
else that libpcap capture filters support, you'd have to do that with a
read filter:

	tethereal -w {file} -R "http or ftp or telnet or ..."

although note that "tcp port 80" captures TCP packets to port 80 even if
they contain no data (i.e., ACK-only packets), while "-R http" captures
only packets that contain data *and* looks at ports other than port 80
(which, in a capture filter, you'd have to do with "or tcp port XXX").

> I know there are packet filters and display filters.

No, there are *capture* filters and display filters.

> How do I specify each of these to Tethereal?

As per my comments above:

	capture filters: "-f", or non-flag command-line arguments

	display filters: "-R".