ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: Re: [Ethereal-users] question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Mon, 29 Oct 2001 15:34:29 -0800 (PST)
> Hi. I am wondering how I can use the filter option in Ethereal for
> Win2k.

Capture filters, or display filters?

In either case, you use them the same way you use them in Ethereal for
any other platform (modulo differences in the capture filters that the
version of libpcap being used on that platform accepts).

> What do I type to filter out all but a singel protocol f.ex.?

For capture filters, check out the tcpdump man page, or, on Windows, the
WinDump man page:

	http://netgroup-serv.polito.it/windump/docs/manual.htm

for a description of the syntax.  Only some protocols can be tested;
some of them let you filter by name (e.g., "ip", "tcp", "udp"), some
others would require you to check the numerical value of some field
(e.g., "ip proto 132" for SCTP), and some others can't be filter out at
all (e.g., HTTP, or NFS, or SMB, or ONC or DCE RPC - you can, at best,
filter based on port numbers, which would work for SMB, and for all but
a probably-negligible amount of NFS traffic, and for most HTTP traffic,
but not for other ONC RPC traffic other than the portmapper or DCE RPC
traffic other than whatever stuff it runs at a fixed port number).

For display filters - which don't control what traffic gets captured,
they control only what traffic is currently being displayed - see the
Ethereal man page for a complete list of protocols that can be filtered.

> Or want to select only one computer

For capture filters:

	host {hostname or IP address}

should work to select only traffic to or from that host.  (That'll
probably get only IP traffic - not, for example, ARP traffic - unless
the host name happens to map to a MAC address in the ethers file or NIS
database for that file.)

For display filters, you can check the source and destination IP
addresses of packets with

	ip.addr == {hostname or IP address}

and there's a similar field for IPv6, as well as fields for link-layer
and other addresses.

> or select anyone except one computer..?

Precede the filter expression with "not" (it shouldn't require that you
surround the filter expression with parentheses, as the above are simple
expressions).
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube