How to configure a capture filter for Ethereal.
(Last modified: 07Jul2003)
This document (10084702) is provided subject to the disclaimer at the end of this document.
goal
How to configure a capture filter for Ethereal.
fact
Ethereal 0.9.13
fix
You can create a capture filter for Ethereal from either the main window or from the Capture window. The process of creating a capture filter is similar for both cases.
From Ethereal's main window you can select the menu option File, and then Capture Filters.
From the Edit Capture Filters window we can now create a filter. This filter will only be available for this Ethereal session unless you enter a name for the filter, click the New button, and then click the Save button.
The second method will be made from the capture window. First we select the menu option Capture and then select Start.
Now the Capture Options window is displayed.
In the Filter field you can type in the capture filter condition for this capture session or if you would like to make the capture filter permanent then click on the Filter button.
To create a new filter then just enter the name of the filter in the Filter name field. This could be any name you want. I try to use something descriptive.
In this case I want to configure a filter to capture all packets to and from my workstation based on the mac address. Now I could also configure one for the IP address but what if there is an IPX or some other packet that is not an IP packet? My capture filter would not capture this type of packet. This is why it is recommended that capture filters be based on the mac address not on the host (IP) address of the device. Also remember that in DHCP environments host addresses change and are dynamic. So if you create a capture filter on a dynamic IP address you might not capture the same device tomorrow as you did today. The mac address is permanent to the network adapter installed in the device. So unless you change the network adapter then you can always be assured that the mac address will remain the same. In some cases it might be preferable to capture on specific information but in this example I will choose to use the mac address of my workstation.
Now how do I get the mac address of my workstation? Well this depends on the OS. On Unix based systems you might use ifconfig from a shell prompt, whereas on Windows NT based computers you need to run ipconfig /all from a command prompt.
So the mac address of my workstation is 00-B0-D0-12-6A-60. So all we need to do is to copy this information into the Filter String field with the proper syntax. Unfortunately, at this point in time there is no wizard to fill in this information. You must enter the capture syntax in manually. There are many different things you can trigger Ethereal to capture on but we mainly only need a few. Capture filters are defined by the pcap libraries that are used by Ethereal. The winpcap website has documentation on the proper syntaxes you can use. This solution gives examples of mac and ip address filters. For other syntax please refer to the online documentation found at:
http://winpcap.polito.it/docs/default.htm
Because Ethereal utilizes libpcap for it's capture driver the syntax is different then what you normally use within Ethereal. The syntax provided below is for capture filters only. They will not work anywhere else within Ethereal.
Host - This defines an IP address to capture
Ether Host - This defines a mac address to capture
So to capture my workstation via it's mac address I would enter
ether host 00:b0:d0:12:6a:60
Note: Ethereal is case sensative unless noted always use lower case.
Now if I want this capture to be saved so that it is available the next time I start Ethereal, then I would click on the New button to add it to the list above and then click on the Save button to save it to my preference files.
If I click the OK button at this time then the selected filter will be added to the Capture window.
So what would be the correct capture filter syntax for capturing by an IP address?
Just specify the keyword host and then followed by the ip address.
Now capture filters can be made more complex by stringing together multiple conditions. For example, lets say I wanted to capture all packets to and from 2 or 3 devices on the network. You can string together multiple conditions with logical operators. The most commonly used operators are
symbol english syntax
&& and
|| or
!& not and
!| not or
For example I could capture between the mac address of my workstation and the mac address of my server by specifying.
The Filter string I typed in was ether host 00:80:29:61:28:d1 and ether host 00:80:6a:26:7d:83
Note: "ether host 00:80:29:61:28:d1 and ether host 00:80:6a:26:7d:83" is the same as "ether host 00:80:29:61:28:d1 && ether host 00:80:6a:26:7d:83". You can use either the english syntax or the symbol in your logic statements.
If I had another server I wanted to add to the list I could just add it to the list with a little adjustment to the Filter string. For example...
ether host 00:80:29:61:28:d1 and (ether host 00:80:6a:26:7d:83 or ether host 00:80:29:46:a2:3e)
In this example the capture filter would be for all packets on host 00:80:29:61:28:d1 to and from either of the other two macs defined. Notice that the parens tell Ethereal how to apply the logic in the statement.
Another good source of information on the creation of Capture filters for Ethereal can be found at:
http://home.insight.rr.com/procana/
.
note
Note: Ethereal is a free open source product. Novell does not provide support for this product. The purpose of this solution is to provide Novell employees and it's customers with information regarding the use of this free tool. To download, report issues, or to request for any enhancements, please consult the Ethereal website at http://www.ethereal.com
document
| Document Title: | How to configure a capture filter for Ethereal. |
| Document ID: | 10084702 |
| Solution ID: | NOVL90720 |
| Creation Date: | 02Jul2003 |
| Modified Date: | 07Jul2003 |
| Novell Product Class: | Netware Client |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.