Ethereal capture filter

From TD-er's Wiki
Revision as of 17:17, 30 January 2007 by Gijs (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Filtering Packets with Ethereal

Setting filters with the Windows version of Ethereal is not as simple as it could be. This document shows only the basic capture filtering.

Once you have mastered making a simple filter you can try some of the more advanced ones described in Ethereal Advanced Packet Capture Filtering.

For Display Filtering take a look at Ethereal Setting Display Filters for a description of how to make and reuse simple display filters.

Capture Filters

The first thing you should know is that Ethereal uses two types of filters, one for capture and one for display, and the string formats are different. This means that it is not possible to use the same filter for both activities.

Capturing All Packets

Let's start with the simplest filtering first, that of collecting everything that the NIC can see on the network segment.

Step 1 Start Ethereal and click Capture, Start.

The Capture Options dialog box appears.

Step 2 Make sure that the button, Capture packets in promiscuous mode, is pressed.

This means that the NIC will collect all the packets it can see.

Note: that if you are on a switch port, or on a port on a switched hub, you will only capture packets directed at your machine, broadcasts, and multicasts that your machine is configured to receive. In addition the NIC itself must be capable of running in promiscuous mode. Most Ethernet cards will be fine, but some Token Ring cards will not run in this mode.

Capturing Packets using an existing Filter

Step 1 Start Ethereal and click Capture, Start.

The Capture Options dialog box appears.

Step 2 Click on the Filter box.

The Edit Capture Filter dialog appears.

Step 3 Click on the required filter file name.

Step 4 Click OK. The filter string appears in the Capture Options dialog.

At first this may be a little confusing, you might have expected the file name. The good thing is that it means you can type strings directly if you know exactly what you want.

Step 5 Click OK.

Capturing begins. The packets captured are those that match the filter string that you have set.

Making a New Capture Filter

You can build packet capture filter files and reuse them at any time. My experience is that the procedure is a little arcane and the format confusing due to the differences between the capture filters and the display filters. However if you follow the steps below you will begin to understand how filtering works.

Step 1 Click Edit, Capture Filters. The Edit Capture Filters List dialog appears.

Step 2 In the box marked Filter name type the name of the new filter you want to make.

For this example type Ethernet Broadcast

Step 3 In the box marked Filter string type, ether broadcast

Note: that the string must be in lower case in the filter string format understood by the capture filtering system.

Step 4 Click New. This adds the new filter to the list.

Step 5 Click Close.

Copying an existing Filter

Copying an existing filter is easy. Simply click on the existing name and press the Copy button. A file named Copy of... is made

Editing the Filter Name

Step 1 Edit the text in the Filter Name box.

Step 2 Click the Change button. The name changes to the new one in the Filter Name box.

Editing the Filter String

Step 1 Edit the text in the Filter string box.

Step 2 Click the Change button. The string changes to the new one in the Filter string box.

Note that the string must be in lower case in the filter string format understood by the capture filtering system.