Introduction

When capturing packets from a network interface, Ethereal s default behavior is to capture all packets that the operating system s device driver provides. On a lightly loaded home network this is not a problem, but on a busy network at a large enterprise, the deluge of packets would prove too much for the user to handle. Ethereal provides capture filters, which allow you to capture only the packets which you are interested in. By using capture filters, the operating system (OS) sends only selected packets to Ethereal for processing.

Once your packets are loaded into Ethereal, there still may be too many packets for you to easily focus on the problem you re trying to solve. For this situation Ethereal provides display filters, which allow you to specify which packets are shown in Ethereal s Graphical User Interface (GUI). As all of the packets are still in memory, they will once again become visible when you reset your display filter.

The reason that there is a distinction between capture filters and display filters is not due to their different uses, but instead to how they are implemented in Ethereal. The Ethereal program does not know how to capture packets from network interfaces by itself. Instead, it relies on a program library to do the packet capturing. On UNIX this library is pcap (also known as libpcap), maintained by the same group that develops tcpdump, the venerable UNIX command-line sniffer available at www.tcpdump.org. On Windows, this...