Packet Capture: Packet Analyzers - Page 4

In part 4 of our series from the O'Reilly book, Network Troubleshooting Tools, you will learn all about examining the data within packets using packet analyzers, complete with syntax and illustrated examples.

 By O'Reilly Press
Page 4 of 4   |  Back to Page 1
Print Article Display filters

Display filters allow you to selectively display data that has been captured. At the bottom of the window shown in Figure 1-1, there is a box for creating display filters. As previously noted, display filters have their own syntax. The ethereal documentation describes this syntax in great detail. In this case, I have entered http to limit the displayed traffic to web traffic. I could just as easily enter any number of other different protocols -- ip, udp, icmp, arp, dns, etc.

The real power of ethereal 's display filters comes when you realize that you don't really need to understand the syntax of display filters to start using them. You can select a field from the center pane and then select Display Match Selected, and ethereal will construct and apply the filter for you. Of course, not every field is useful, but it doesn't take much practice to see what works and what doesn't work.

The primary limitation of this approach comes in constructing compound filters. If you want to capture all the traffic to or from a computer, you won't be able to match a single field. But you should be able to discover the syntax for each of the pieces. Once you know that ip.src== matches all IP traffic with as its source and that ip.dst== matches all IP traffic to, it isn't difficult to come up with the filter you need, ip.src== or ip.dst== Display filters are really very intuitive, so you should have little trouble learning how to use them.

Perhaps more than any other tool described in this book, ethereal is constantly being changed and improved. While this book was being written, new versions were appearing at the rate of about once a month. So you should not be surprised if ethereal looks a little different from what is described here. Fortunately, ethereal is a well-developed program that is very intuitive to use. You should have little trouble going on from here.

Network Troubleshooting Tools - click to go to publisher's site

The next segment from Network Troubleshooting Tools will cover the Dark Side of Packet Capture.

This article was originally published on Nov 27, 2001
Get the Latest Scoop with Networking Update Newsletter