On Thu, Jul 05, 2001 at 02:12:47PM -0700, Anthony Abby wrote:
> I figured I'd simply filter as such "ip eq
> 192.168.1.3" but I get "Unable to parse filter string
> (Parse error)" instead.
That's because the correct capture filter would be
ip host 192.168.1.3
or just
host 192.168.1.3
The syntax for capture filters isn't the same as the syntax for display
filters - capture filters are compiled by the library that Ethereal uses
for packet capture, which is the same library that tcpdump uses, so the
syntax of capture filters for Ethereal is the same as that for tcpdump.
See the tcpdump man page on a UNIX-flavored OS (e.g., Linux), or see the
WinDump man page:
http://netgroup-serv.polito.it/windump/docs/manual.htm
on Windows (WinDump is a port of tcpdump to Windows, and uses WinPcap,
which is a port of libpcap to Windows; the capture filter syntax in
WinDump is the same as that of the version of libpcap from which it's
derived, which is currently libpap 0.5 - different versions of libpcap
may support different things, as capture filter features are added to
libpcap from time to time).
Note that "ip eq 192.168.1.3" isn't even a valid *display* filter,
however; in display filters, "ip" is a Boolean predicate that is true if
the frame contains an IP packet somewhere and false otherwise - the
correct *display* filter would be
ip.addr eq 192.168.1.3
