| < Day Day Up > |
|
Capture filters operate quickly and are good for limiting the number of packets captured by Ethereal.
The capture filter language has keywords for comparing host names and addresses, hardware addresses, ports, and protocols.
Tcpdump can dissect many protocols and fields, but only a handful of those protocols and fields are available in the tcpdump filter (or “capture filter”) language.
To test individual fields in a bit-field correctly, you must use the bitwise AND operator: &.
Display filters are slower than capture filters, but allow you to test almost any field or protocol that Ethereal knows how to dissect.
Display filter fields are typed; each type of field can hold only certain types of values.
The contains operator searches for text; the matches operator searches using regular expressions.
Take care when testing fields that occur multiple times in a packet; the way you might think to test these fields may be the wrong way.
The Capture Filter and Display Filter dialog boxes let you save your filters.
The Filter Expression dialog box lets you create display filters by pointing and clicking.
| < Day Day Up > |
|