Packet Capture: Packet Analyzers - Page 4

1.6.1.2. Display filters

Display filters allow you to selectively display data that has been captured. At the bottom of the window shown in Figure 1-1, there is a box for creating display filters. As previously noted, display filters have their own syntax. The ethereal documentation describes this syntax in great detail. In this case, I have entered http to limit the displayed traffic to web traffic. I could just as easily enter any number of other different protocols -- ip, udp, icmp, arp, dns, etc.

The real power of ethereal 's display filters comes when you realize that you don't really need to understand the syntax of display filters to start using them. You can select a field from the center pane and then select Display Match Selected, and ethereal will construct and apply the filter for you. Of course, not every field is useful, but it doesn't take much practice to see what works and what doesn't work.

The primary limitation of this approach comes in constructing compound filters. If you want to capture all the traffic to or from a computer, you won't be able to match a single field. But you should be able to discover the syntax for each of the pieces. Once you know that ip.src==205.153.63.30 matches all IP traffic with 205.153.63.30 as its source and that ip.dst==205.153.63.30 matches all IP traffic to 205.153.63.30, it isn't difficult to come up with the filter you need, ip.src==205.153.63.30 or ip.dst==205.153.63.30. Display filters are really very intuitive, so you should have little trouble learning how to use them.