Ethereal

Re: [Ethereal-users] Problems with Perl regular expression (PCRE) and tethereal
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: December 2005

Hi Guy,

Thank you very much for your help, it was helpful. I will remember to use "echo" in the future - I should've figured it out for myself  :P

The reason I got a bit confused is because of this little snippet from the tethereal man page:

       "A capture or read filter can either be specified with the -f or -R option, respectively, in which case
       the entire filter _expression_ must be specified as a single argument (which means that if it contains
       spaces, it must be quoted), or can be specified with command-line arguments after the option arguments,
       in which case all the arguments after the filter arguments are treated as a filter _expression_.  Capture
       filters are supported only when doing a live capture; read filters are supported when doing a live cap-
       ture and when reading a capture file, but require Tethereal to do more work when filtering, so you might
       be more likely to lose packets under heavy load if you're using a read filter.  If the filter is speci-
       fied with command-line arguments after the option arguments, it's a capture filter if a capture is being
       done (i.e., if no -r flag was specified) and a read filter if a capture file is being read (i.e., if a
       -r flag was specified)."

>From my interpretation, it's saying that you don't have to quote filter expressions as long as they are after the option arguments. However from what we've experienced, this doesn't seem to be so. Bummer!

On a completely seperate note, is there any way of getting tethereal to dump the contents of a tcp session (a la "follow tcp stream") to a file? I know this has been discussed before on the mailing list, but because there doesn't seem to be a mailing-list search tool, I can't find a response to this issue. I've been using the tcpflow tool which so far does an excellent job, however it doesn't seem to be under active development (no releases since '03). This either means the tool is so good that it doesn't need to be updated, or there doesn't seem to be much community interest in this kind of tool. It would be awesome if tethereal had this sort of capability.

In answer to your question about what does 
tethereal -r in.dmp 'frame matches "GET /file\\.htm HTTP/1\\.1"' 
do?  - It works.

Cheers,
Nick

Nicholas George wrote: 
I am having a problem searching a pcap dump file using the perl
regular _expression_ syntax for tethereal. I've found the documentation

to be sparse. :(

 
I would like to do something like:
tethereal -r in.dmp frame matches 'GET /file\.htm HTTP/1\.1'

 
However, it won't work unless I do:
tethereal -r in.dmp frame matches '"GET /file\\.htm HTTP/1\\.1"'
I don't understand why, aren't these two lines the same? (I'm using

the bash shell

No, they're not:

 
	$ echo -r in.dmp frame matches 'GET /file\.htm HTTP/1\.1'
	-r in.dmp frame matches GET /file\.htm HTTP/1\.1
	$ echo -r in.dmp frame matches '"GET /file\\.htm HTTP/1\\.1"'

	-r in.dmp frame matches "GET /file\\.htm HTTP/1\\.1"

 
Note the double-quotes in the second line.

 
The error message I get is:
tethereal: "/" was unexpected in this context


The first command would pass to Tethereal the arguments

 
	-r
tethereal -r in.dmp 'frame matches "GET /file\\.htm HTTP/1\\.1"'	in.dmp
	frame
	matches
	GET
	/file\.htm

	HTTP/1\.1

After "-r in.dmp", the remaining tokens get glued together into a single string, and that string is parsed; the parsing cuts it back up into tokens, and

 
	frame matches GET /file\.htm HTTP/1\.1

isn't valid, as GET is the right-hand argument to the "matches" operator, and the /file\.htm and HTTP/1\.1 are just extra junk.

 
The second command would pass to Tethereal the arguments

 
	-r
	in.dmp
	frame
	matches
	"GET /file\\.htm HTTP/1\\.1"

 
and the resulting filter string would be

 
	frame matches "GET /file\\.htm HTTP/1\\.1"

which would be cut into *three* tokens: "frame", "matches", and "GET /file\\.htm HTTP/1\\.1". The right-hand argument to the "matches" operator is the entire string "GET /file\\.htm HTTP/1\\.1".

 
It also doesn't work if I try:
tethereal -r in.dmp frame matches "\"GET /file\\.htm HTTP/1\\.1\""

although this time I get no error message.

	$ echo -r in.dmp frame matches "\"GET /file\\.htm HTTP/1\\.1\""
	-r in.dmp frame matches "GET /file\.htm HTTP/1\.1"

 
It DOES work if I try.
tethereal -r in.dmp -R 'frame matches "GET /file\\.htm HTTP/1\\.1"'


	$ echo -r in.dmp -R 'frame matches "GET /file\\.htm HTTP/1\\.1"'
	-r in.dmp -R frame matches "GET /file\\.htm HTTP/1\\.1"

This appears to be a \ vs. \\ issue, although I'm not sure why \\ works and \ doesn't.

 
My questions are:
What is the point of the -R?

Perhaps nothing - what does

 
	tethereal -r in.dmp 'frame matches "GET /file\\.htm HTTP/1\\.1"'

 
do?

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.