GRL wrote:
I know I already made this question and I had an answer. So I apologize
because I insist, but I'm not able yet to understand why it's not
possible to set a filter for a specific word (or a sequence of
characters, if you prefer).
By "for a specific word", do you mean "for a specific word, or sequence
of characters, anywhere in the packet"?
If so, it *is* possible to have a display filter for that, in newer
versions of Ethereal:
frame contains "string"
would match all packets containing the ASCII string "string".
It's not possible with capture filters, because the capture filter
mechanism was designed around the notion of "programs" in a
pseudo-machine language that would test parts of the packet and return a
success or failure indication; the intent was that those programs be
"safe", as they could be supplied to the kernel so that a packet that a
capturing program wasn't interested in could be discarded *before* CPU
time was spent copying it to the user-mode code, and the way that made
sure that they were "safe" included not allowing infinite loops - they
accomplished this by not allowing loops at all.
Perhaps they could've done things differently, but they didn't.
Ethereal is intended to run atop systems *WITHOUT* having to modify the
kernel (requiring kernel modifications would make it much less usable),
so it inherits all the limitations of the underlying packet capture
mechanism.
