> Our goal is to capture all port 80 requests from one ip address and only
> wish to capture that. We have a lot of traffic on our network and the
> capture file would be quite huge without it. We tried writing our own
> filters (ip.addr eq 192.168.1.58) and (tcp.port eq 80) and tried to
> implement them before doing the capture, but it would give us an error
> message (Unable to parse filter string (syntax error))
Item 3.1 in the Ethereal FAQ at
http://ethereal.zing.org/faq.html#q3.1
says:
Q: I can set a display filter just fine, but capture filters
don't work.
A: Capture filters currently use a different syntax than display
filters. Here's the corresponding section from the ethereal(1)
man page:
"Display filters in Ethereal are very powerful; more fields are
filterable in Ethereal than in other protocol analyzers, and the
syntax you can use to create your filters is richer. As
Ethereal progresses, expect more and more protocol fields to be
allowed in display filters.
Packet capturing is performed with the pcap library. The
capture filter syntax follows the rules of the pcap library.
This syntax is different from the display filter syntax."
The capture filter syntax used by libpcap can be found in the
tcpdump(1) man page.
Try using the equivalent tcpdump-style filter:
host 192.168.1.58 and port 80
(No, we don't consider it a feature that the syntaxes are different.
However, it's not a quick hack to change it.)
