Capturing Live Network Data
4.8. Filtering while capturing
Ethereal uses the libpcap filter language for capture filters. This is explained in the tcpdump man page, which can be hard to understand, so it's explained here to some extent.
You will find a lot of Capture Filter examples at ht- tp://wiki.ethereal.com/CaptureFilters.
You enter the capture filter into the Filter field of the Ethereal Capture Options dialog box, as shown in Figure 4.2, “The "Capture Options" dialog box”. The following is an outline of the syntax of the tcpdump capture filter language. See the expression option at the tcpdump manual page for details: http://www.tcpdump.org/tcpdump_man.html.
A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/ or) and optionally preceded by not:
[not] primitive [andor [not] primitive ...]
An example is shown in Example 4.1, “ A capture filter for telnet than captures traffic to and from a particular host ”.
Example 4.1. A capture filter for telnet than captures traffic to and from a particular host
tcp port 23 and host
This example captures telnet traffic to and from the host, and shows how to use two primit- ives and the and conjunction. Another example is shown in Example 4.2, “ Capturing all telnet traffic not from”, and shows how to capture all telnet traffic except that from
Example 4.2. Capturing all telnet traffic not from
tcp port 23 and not host
XXX- add examples to the following list. A primitive is simply one of the following:
[srcdst] host <host> | This primitive allows you to filter on a host IP address or |
| name. You can optionally precede the primitive with the |
| keyword srcdst to specify that you are only interested in |
| source or destination addresses. If these are not present, pack- |
| ets where the specified address appears as either the source or |
| the destination address will be selected. |
ether [srcdst] host <ehost> | This primitive allows you to filter on Ethernet host addresses. |