Chapter 5: Filters

Introduction

When capturing packets from a network interface, Ethereal’s default behavior is to capture all packets that the operating system’s device driver provides. On a lightly loaded home network this is not a problem, but on a busy network at a large enterprise, the deluge of packets would prove too much for the user to handle. Ethereal provides capture filters, which allow you to capture only the packets which you are interested in. By using capture filters, the operating system (OS) sends only selected packets to Ethereal for processing.

Once your packets are loaded into Ethereal, there still may be too many packets for you to easily focus on the problem you’re trying to solve. For this situation Ethereal provides display filters, which allow you to specify which packets are shown in Ethereal’s Graphical User Interface (GUI). As all of the packets are still in memory, they will once again become visible when you reset your display filter.

The reason that there is a distinction between capture filters and display filters is not due to their different uses, but instead to how they are implemented in Ethereal. The Ethereal program does not know how to capture packets from network interfaces by itself. Instead, it relies on a program library to do the packet capturing. On UNIX this library is pcap (also known as libpcap), maintained by the same group that develops tcpdump, the venerable UNIX command-line sniffer available at www.tcpdump.org. On Windows, this library is WinPcap, a device driver and dynamic link library (DLL) that provides a pcap interface for Windows programs. For convenience, we’ll refer to pcap and WinPcap simply as pcap, since for our purposes they are operationally equivalent.

It is the pcap library that provides the capture-filtering mechanism to Ethereal. The pcap library provides a very fast filtering engine, which is important because running a filter on a packet uses processing power from your computer. The packet data has to be analyzed to determine if it passes the filter condition. Inasmuch, if the analysis takes a long time, your operating system might not have time to address the next incoming packet resulting in a dropped packet.

The speed of capture filters is great for live captures, but pcap’s filter language is not powerful or expressive enough for many sniffing or analysis needs. The language itself allows you to test only a few fields from a few protocols. To overcome this deficiency, display filters were introduced to Ethereal. These display filters are a packet filter language completely distinct from pcap’s packet filter language. Almost every protocol and field that Ethereal knows how to retrieve from a packet has a name. Ethereal enables you to use the protocol names and field names to filter packets for display. Display filters rely on a complete dissection of the packet by Ethereal, and thus are much slower than capture filters, which operate differently. Each type of filter has its place; capture filters are good for quickly discarding packets from a live network interface, while display filters are good for fine-tuning which packets you see after the packets have been loaded into Ethereal.