- Subject: Re: [Ethereal-users] help with filter strings
- From: Guy Harris <gharris@xxxxxxxxx>
- Date: Sat, 03 Dec 2005 02:42:08 -0800
Leo Jose wrote:
I want to set a Capture Filter
1) what will be the 'Filter string ' to capture data on TCP port 7878 of
my machine
As per the tcpdump/WinDump man page (for the version of tcpdump or
WinDump that corresponds to the version of libpcap/WinPcap Ethereal is
using), its
tcp port 7878
2) what will be the 'Filter string' to capture data between two machines
only (IP1 <-> IP2)
host ip1 and ip2
Will the filter strings be same for the Display Filter also?
No. They'd be
tcp.port == 7878
and
ip.addr == ip1 and ip.addr == ip2
For various reasons, we should probably add support for display filter
that have the same syntax as capture filters (reason 1 is that you can
use the same filter for both, reason 2 is that we might be able to avoid
building the protocol tree for many of those filters and test the
information used to generate the columns, reason 3 is that it's more
obvious that the negation of "host XXX" is "not host XXX" than it is
that the negation of "ip.addr == XXX" is "not (ip.addr == XXX)" and
*NOT* "ip.addr != XXX", ...). We haven't done that yet, however.
