The same holds true for Packetyzer, which I gather uses Ethereal under the covers as an analysis engine, but which seems to use the same syntax for capture and display filters.
On Thu, 2003-06-26 at 08:19, mike wrote: > Hi Guy, > > You're certainly right that the syntax etc is all based on bpf/libpcap. A > great deal of my capturing is done with tcpdump on IDSes or non-X machines > and I use Ethereal for post capture analysis. However, I wrote this primer > because the Ethereal help for capture filters freaks a lot of people. There > is only reference to the the pcap lib and tcpdump man page. To some people > coming from a windows background, this just adds to the > confusion/frustration. By putting up a primer that leads people through the > required capture syntax, my hope is that this builds understanding and > confidence with Ethereal's underlying capture facility (libpcap/winpcap) and > they will refer back to the tcpdump man page and expand on what they learned > from my page. This is why at the beginning of my primer, I refer people to > the tcpdump man page as the complete source of information. > I understand that these filters can be used for so many other programs. While > snort can take capture filter files and command line filters, it also > provides people with the ability to avoid this by using custom rulesets with > simple keywords in place of capture syntax. My preference was to narrow it > down to just 'naming' Ethereal because this seems to be where a great deal of > cross-over with the windows community occurs and most of the confusion with > capture filters. > > Thanks, > Mike > > > On Wednesday 25 June 2003 02:45 pm, Guy Harris wrote: > > On Wednesday, June 25, 2003, at 11:28AM, mike wrote: > > > I have a capture filter primer on my website: > > > http://home.insight.rr.com/procana > > > > You might want to rename it "Designing Capture Filters for > > tcpdump/Ethereal/Snort/etc.", as it applies to any program using > > libpcap, not just Ethereal. > > > > _______________________________________________ > > Ethereal-users mailing list > > [EMAIL PROTECTED] > > http://www.ethereal.com/mailman/listinfo/ethereal-users > > _______________________________________________ > Ethereal-users mailing list > [EMAIL PROTECTED] > http://www.ethereal.com/mailman/listinfo/ethereal-users -- James V. Fields
