Ethereal Capture Filter for IP Traffic

How to make an Ethereal packet capture filter for IP traffic.

Filtering IP Traffic

One of the great strengths of Ethereal is its very powerful filtering language. This document describes some of its features specifically the use of primitives.

You can build packet capture filters and reuse them at any time. Take a look at Ethereal Setting Display Filters for a description of how to make and reuse a simple filter.

Once you have mastered making a simple filter you can try some of the more advanced ones described in Ethereal Advanced Packet Capture Filtering.

Capturing specific IP Host traffic

You may use host names or IP Addresses. So if the machine named FRED is also 10.0.0.21 either can be used in the filter. So in the Filter string, entering:

host FRED is the same as host 10.0.0.21

This will capture packets to and from the address.

Optionally you may specify that the address is a destination.

dst host FRED is the same as dst host 10.0.0.21 and will capture only traffic to the address.

Optionally you may specify that the address is a source.

src host FRED is the same as src host 10.0.0.21 and will capture only traffic from the address.

Capturing specific IP Protocols

Primitives exist for capturing specific IP Protocols.

In the Filter string, entering:

ip proto tcp is the same as ip proto 6 and will capture all TCP packets.

ip proto udp is the same as ip proto 11 and will capture all UDP packets.

ip proto icmp is the same as ip proto 1 and will capture all ICMP packets.

ip proto igrp is the same as ip proto 9 and will capture all IGRP packets.

Capturing IP Broadcast and Multicast traffic

In the Filter string, entering:

ip broadcast will capture all IP broadcast packets.

ip multicast will capture all IP multicast packets.

Capturing traffic on a specific IP Port

In the Filter string, entering:

port telnet is the same as port 23 and will capture all udp and tcp packets using port 23 (telnet)

You can restrict this to only tcp traffic or only udp traffic.

In the Filter string, entering:

tcp port telnet is the same as tcp port 23 and will capture only tcp packets using port 23 (Telnet).

Similarly:

udp port telnet is the same as udp port 23 and will capture only udp traffic on port 23 (Telnet).

And you can further specify source or destination port.

In the Filter string, entering:

tcp src port telnet is the same as tcp src port 23 and will capture all tcp packets whose source port is 23 (Telnet).

Similarly:

udp dst port telnet is the same as udp dst port 23 and will capture only udp packets whose destination port is 23 (Telnet).

To perform filtering on Ethernet hosts and protocols go to Filtering MAC Traffic.

For a description of even more options go to Filtering while capturing.

---

About Us | Privacy Policy | Terms & Conditions | Site Map | Blog | Contact us | Customer Testimonials
CHAT WITH US | CALL US: 0800 612 1357 | EMAIL US: sales@openxtra.co.uk
Copyright © 2003-2008 OPENXTRA Limited All Rights Reserved. OPENXTRA Limited, Building Society Chambers, Wesley Street, Otley, LS21 1AZ.
Company registration number: 4641663. VAT No: GB808975581. WEEE Registration: WEE/EK0053TQ