On Wed, Feb 19, 2003 at 08:36:04PM +0100, Sean Hackstein wrote:
> To make things clear :
> I try to typ the filter direct into :
> Capture/start -> Ethereal: Capture Options
> Filter->
>
> mybe that's wrong ?
Given that you said, in your earlier message:
i'm new to ethereal and didn't manage to get a display filter working
^^^^^^^
either
1) typing it into the "Filter:" field in the "Capture Options"
dialog box is wrong
or
2) saying "...didn't manage to get a display filter working",
rather than "...didn't manage to get a *capture* filter
working", was wrong. :-)
I suspect the latter was the error here.
If you want to control which packets Ethereal *captures*, rather than
the subset of the captured packets in the display, you need a capture
filter; the syntax for those is different from the syntax for display
filters (capture filters are compiled by the libpcap/WinPcap library
that Ethereal uses to do packet capture, display filters are compiled by
Ethereal).
To do a *capture* filter to check for MAC addresses beginning with
00:30:84:1c, you'd do
ether[0:4] = 0x0030841c or ether[6:4] = 0x0030841c
(Note that in capture filters the number after the : has to be 1, 2, or 4
- you can't use 3, and you can't use a number greater than 4; capture
filters are not as general as display filters in that regard. You just
happen to be lucky that you want to check the first 4 bytes of the
address.)
