> I would like to use tethereal on Linux to capture selective capture
> i.e to say tethereal would go on capturing traffic but would only
> output the filtered packets on to a file.
Tethereal (like tcpdump and snoop) runs in one of two modes:
captures packets and prints a dissection of the packet to the
standard output, but doesn't write the packets to a file;
captures packets and writes them to a file, but doesn't print a
dissection of them.
In either case, the capture filter specifies which packets are to be
printed or written to the file.
So the way you'd do that with Tethereal would be the same as you'd do it
with tcpdump or snoop - do
tethereal -i <interface> -w <file> <filter expression>
where <interface> is the name of the interface on which you want to
capture (or, with libpcap 0.6.2 and recent versions of Ethereal, you can
use "all" on Linux to capture from all interfaces), <file> is the file
to which to write the captured packets, and <filter expression> is the
filter expression to use.
> I am interested in traceroutes and ARP packets to be handled this way.
Traceroutes are difficult to identify, unless the traceroute is using
ICMP ECHO requests rather than UDP packets to a random port number.
A capture filter that would handle both ICMP and ARP packets would be
icmp or arp
> Are such multiple filters possible?
What do you mean by "multiple filters"?
If you mean a filter that matches either ICMP packets or ARP packets,
yes, it's possible - see above.
