[lug] ethereal filtering

[Jeffery D. Collins]

I have been using ethereal successfully for client/server development.
It has been very handy for debugging http requests/responses.  I've
run into a problem with a client application (a simulated phone device
running on the desktop, actually) that spews TCP traffic between two
ports at the rate 400/second.  Within this sea of traffic are a few
HTTP events that are of interest.  I know that there are display and
capture filters and I've been trying to use the capture filters
without success.  The documentation mentions that the capture filters
have to follow the format of tcpdump.  I tried filtering the capture
from a certain port using:

not port 51122

But traffic from that port (src and dst) is still being captured.
Conversely, if the filter is

port 51122

then no traffic appears, as if the displayed port isn't the same as
the specified filtered ported.


Another problem with ethereal is that it appears to not be capturing
all of the packets sent from the client.  For instance, I use Python
and httplib to POST messages to a server and receive the response.  I
know that the message is sent (it appears in the server log) and the
correct response is received by the client.  However, ethereal will
display, say, just the initial handshaking and the connection
termination, but nothing in between.  Switching over to a Java client
to access the server in the same way (same port, message, etc.) will
actually show all of the traffic of the http request and response.
Note that there were no filters (by me, anyway) activated at this
point.  Has anyone else seen similar behavior?

Thanks.



-- 
Jeffery Collins (http://www.boulder.net/~jcollins)