Hi Guy, You're certainly right that the syntax etc is all based on bpf/libpcap. A great deal of my capturing is done with tcpdump on IDSes or non-X machines and I use Ethereal for post capture analysis. However, I wrote this primer because the Ethereal help for capture filters freaks a lot of people. There is only reference to the the pcap lib and tcpdump man page. To some people coming from a windows background, this just adds to the confusion/frustration. By putting up a primer that leads people through the required capture syntax, my hope is that this builds understanding and confidence with Ethereal's underlying capture facility (libpcap/winpcap) and they will refer back to the tcpdump man page and expand on what they learned from my page. This is why at the beginning of my primer, I refer people to the tcpdump man page as the complete source of information. I understand that these filters can be used for so many other programs. While snort can take capture filter files and command line filters, it also provides people with the ability to avoid this by using custom rulesets with simple keywords in place of capture syntax. My preference was to narrow it down to just 'naming' Ethereal because this seems to be where a great deal of cross-over with the windows community occurs and most of the confusion with capture filters.
Thanks, Mike On Wednesday 25 June 2003 02:45 pm, Guy Harris wrote: > On Wednesday, June 25, 2003, at 11:28AM, mike wrote: > > I have a capture filter primer on my website: > > http://home.insight.rr.com/procana > > You might want to rename it "Designing Capture Filters for > tcpdump/Ethereal/Snort/etc.", as it applies to any program using > libpcap, not just Ethereal. > > _______________________________________________ > Ethereal-users mailing list > [EMAIL PROTECTED] > http://www.ethereal.com/mailman/listinfo/ethereal-users
