Ethereal Advanced Packet Capture Filter

How to make an advanced capture filter for Ethereal

The filtering language used by Ethereal is, to my mind, a bit tricky to understand. The filtering language is that used by tcpdump. This document attempts to explain how to set capture filters for some of the more common types of traffic. For a full description of the options go to Filtering while capturing section in the Ethereal users guide.

For Display Filtering take a look at Ethereal Setting Display Filters for a description of how to make and reuse simple display filters.

Capture Filters

You can build packet capture filters and reuse them at any time. Take a look at Ethereal Setting Capture Filters for a description of how to make and reuse a simple filter. Once you have mastered simple filtering you can try some of the more advanced ones described here.

Making a Capture Filter for a known Ethernet Layer Protocol

Well known Ether Types

Some common ether types are:

IP(V4). Filter string: ether proto 0x0800

ARP. Filter string: ether proto 0x0806

IPX. Filter string: ether proto 0x8137

DECNET Phase IV. Filter string: ether proto 0x6003

DEC LAT. Filter string: ether proto 0x6004

Making a Capture Filter for a known IP Layer Protocol

Well known IP Layer Protocol Types

Some common ether types are:

ICMP. Filter string: ip proto 1

TCP. Filter string: ip proto 6

UDP. Filter string: ip proto 11

Making a Capture Filter for a known TCP Port

Examples - Well known Port Numbers

Some common ports are:

FTP (data). Filter string: tcp port 20

FTP (control). Filter string: tcp port 21

SSH. Filter string: tcp port 22

TELNET. Filter string: tcp port 23

SMTP. Filter string: tcp port 25

DNS. Filter string: udp port 53

HTTP. Filter string: tcp port 80

NETBIOS Name Service. Filter string: udp port 137

NETBIOS Datagram. Filter string: udp port 138

NETBIOS Session. Flter string: tcp port 139

IMAP. Filter string: tcp port 143

SNMP. Filter string: udp port 161

Making a Capture Filter for a known IP Address or Host Name

Follow the steps below.

Step 1 Click Edit, Capture Filters.

The Edit Capture Filters List dialog appears.

Step 2 In the box marked Filter name type the name for the new filter you want to make.

For this example type Host Filter.

Step 3 In the box marked Filter string type, host 10.0.0.25

This will capture traffic to and from IP Address 10.0.0.25. You can replace the IP Address with a name.

Optionally you may specify only traffic to or from an address.

So to capture traffic from 10.0.0.25 type: src host 10.0.0.25

To capture traffic to 10.0.0.25 type: dst host 10.0.0.25
Note: that the string must be in lower case in the format understood by the capture filtering system.

Step 4 Click New.

This adds the new filter to the list.

Step 5 Click Close.

Combining Options

It is possible to combine options, using logical AND, NOT, OR options, to make even more specific filters. So, for example if you want to see only telnet traffic to and from a particular host specify a filter such as:

tcp port 23 and host 10.0.0.25

Further Options

Now that you have tried a few of the options the full set, described in the Filtering while capturing pages in the Ethereal User’s Guide, may be easier to understand.