Hacker News new | past | comments | ask | show | jobs | submit login

tcpdump and libpcap have different syntaxes? When did that start? tcpdump's filtering language is libpcap.



Sorry, I mean wireshark. You can use a filter like these in wireshark GUI:

    ip.addr==127.0.0.1
But not in tcpdump

    $ sudo tcpdump 'ip.addr==127.0.0.1'
    syntax error.
This works in tcpdump

    sudo tcpdump 'host 127.0.0.1'
But not in wireshark GUI


It's a bit more complicated than that.

Wireshark allows two different filtering languages in two different places, used at different times.

Your first example ("ip.addr=127.0.0.1") is a display filter. You enter those in the text field at the top of the GUI.

Your third example, 'host 127.0.0.1' is a 'capture filter'. You can enter capture filters in Capture/options.


I can understand that, but why do we invent these two different DSLs? I suppose they have a very large portion of overlap!


There are different trade-offs for the capture filter language and the display filter language.

The capture filter language considers short and bounded runtime (no loops) to be paramount. Roughly, when you're capturing, it's important that your filters eat a limited amount of resources. Juha talks about this in the article.

The display filter language abandons the careful runtime limits in favour of being more powerful. You can go higher up in the stack, you can use regexes, etc. That's acceptable because you're usually doing it offline.

The conclusion of Juha's article is, roughly, "the libpcap DSL is sometimes frustrating, but I'm not aware of a clearly better alternative". I agree. I'd love it if someone invented something prettier but still solid.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: