|
EtherealRe: [Ethereal-users] Capture Filter with multiple exclusions? |
|
||
|
|
EtherealRe: [Ethereal-users] Capture Filter with multiple exclusions? |
|
||
On Sun, Sep 08, 2002 at 12:19:01AM -0500, Perry T. George wrote: > 1) How do I specify a Capture Filter with multiple exclusions? > > e.g. host 10.0.0.xxx and not arp and not bootp By saying host 10.0.0.xxx and not arp and not bootp (where "xxx" would have to be a number between 0 and 255, of course), as per various examples in the tcpdump man page: http://www.ethereal.com/tcpdump.8.html (as linked to by the "CAPTURE FILTER SYNTAX" section of the on-line Ethereal man page: http://www.ethereal.com/ethereal.1.html ), such as More complex filter expressions are built up by using the words and, or and not to combine primitives. E.g., `host foo and not port ftp and not port ftp-data'. To save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. > 2) How long (how big) can I reasonably let Ethereal run in Capture > mode if I don't specify a max value? Can it write a file in progress That's all it does - Ethereal has no in-memory buffer that it fills up with captured data (other than the buffer used by the "standard I/O" library it uses to write to files, but when that fills, the I/O library just writes stuff out and empties the buffer). The limit would be imposed by the maximum file offset size in Ethereal and in that I/O library, which is probably a limit of 2GB on most machines.
Powered by MHonArc 2.6.10