Mailing List Archive: tethereal capture filter for multiple ports

-------------------
The Ethereal project is being continued at a new site. Please go to
http://www.wireshark.org and subscribe to wireshark-users@wireshark.org.
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

On Aug 21, 2006, at 10:13 AM, Tom wrote:

> -------------------
> The Ethereal project is being continued at a new site. Please go to
> http://www.wireshark.org and subscribe to wireshark-users@wireshark.org
> .
> Don't forget to unsubscribe from this list at
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> -------------------
>
> Hi, I am looking for the tethereal capture filter
> syntax for capturing multiple ports (2 to 5 ports).

Well, tethereal's not being developed any more (as per the above), but
TShark is what it was renamed to, and the answer is the same for both.

> With the following command, I am NOT able to capture
> packets: (Note: it says it is capturing but it is
> actually not capturing)
>
> [root@root]# tethereal -f "(port 5060) and (port
> 8688)" -w test13.cap
> Capturing on eth0

How do you know it's not capturing?

The fact that it doesn't print anything only proves it's not capturing
if you have traffic on your network that's going between ports 5060
and 8688. If you have traffic going *to* port 5060 but not coming
*from* port 5060 or port 8688, or coming *from* port 5060 but not
going *to* port 5060 or port 8688, or going *to* port 8688 but not
coming *from* port 5060 or port 8688, or coming *from* port 8688 but
not going *to* port 5060 or port 8688, that filter will *not* capture
it.

"And" means "and" in the sense of "the packet is going to or coming
from port 5060 *and* the *SAME* packet is coming from or going to port
8688". "port X and port Y" doesn't mean "capture traffic to or from
port X and also capture traffic to or from port Y", it means "capture
a packet that is, at the same time, going to or coming from port X and
coming from or going to port Y".

If you want to capture traffic to or from port X and also capture
traffic to or from port Y, that's traffic that's coming from or going
to port X *OR* coming from or going to port Y, so the filter for
*that* would be

port 5060 or port 8688

> The following is a syntax error:
>
> [root@root]# tethereal -f "(port 5060)" and "(port
> 8688)" -w test15.cap

The "-f" flag takes the next command-line token as the filter
expression; all subsequent command-line tokens are *NOT* part of the
filter. Thus, the argument to "-f" is "(port 5060)", and the "and"
and "(port 8688)" are treated as extra arguments - and extra arguments
to tshark (and tethereal) are glued together and treated as a capture
filter, so that's "and (port 8688)", which isn't valid.

TShark needs to catch the case where you have "-f" *and* have extra
arguments, and complain about that. (And tcpdump needs to print
something more meaningful than "syntax error" in that case.)

In addition, the tshark *manual* needs to more clearly document that

tshark port 5060 or port 8688

captures with "port 5060 or port 8688" as a capture filter.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users