Re: [Ethereal-users] getting traces!

[Guy Harris <guy@xxxxxxxxxx>]

> I'm trying to figure out how to use ethereal. I know,
> point and click...but I'm trying to set up filters
> to only look at a specific IP address and I can't seem
> to get it to work. I create a capture filter called
> yahoo and use a string as ip.addr == x.x.x.x
> 
> When I try to use the filter I get a parse error.
> 
> Any ideas wht I'm doing wrong?

What you're doing wrong is assuming that capture filters and display
filters have the same syntax.  Capture filters are implemented not by
Ethereal, but by the libpcap/WinPcap library Ethereal uses, so they have
the libpcap syntax, not the Ethereal display filter syntax.

That syntax is documented in the documentation for the first libpcap
application, tcpdump; WinDump is tcpdump ported to Windows, using
WinPcap (which is libpcap ported to Windows), and the WinDump
documentation can be found at

	http://netgroup-serv.polito.it/windump/docs/manual.htm

Look in the section that starts with

	expression   selects which packets will be dumped.  If no
		     expression is given, all packets on the net
		     will be dumped.  Otherwise, only packets for
		     which expression is `true' will be dumped.

for a description of the syntax.

In particular, the syntax for capturing traffic to or from a particular
IP address is

	ip host <address>

where "<address>" can either be an IP address *OR* a host name.