your preferences. For example, if you are looking for traffic generated by the AIM
protocol, which is used by AOL’s Instant Messenger, you can set up a filter to quickly
parse all AIM data out of the captured data. This can also be done before the capture;
however, post-capture filtering is recommended because it gives you the power to go
back and review everything captured.
To set up a filter before the capture, use the filter option as illustrated in Figure 9.2.
This will open a filter setup window similar to Figure 9.4. To post the filter, use the filter
option at the bottom of the Ethereal window
In this example, we will create a filter for AIM and Quake. Quake is a multiplayer game
whose mastery is an essential prerequisite for any competent security professional.
However, if you are a network administrator, you might desire a way to periodically
monitor your network for Quake packets to make sure no one has set up a rogue Quake
server. To do this, perform the following steps:
1. Click the Filter button.
2. Type Quake in the Filter Name textbox.
3. Click the Add Expression button.
4. Scroll through the list of options and select Quake in the Field Name column
and is present in the Relation column (see Figure 9.5).
5. Click Accept.
6. Click the New button to add the filter to the save list.
7. Click Save to store this filter permanently.
8. Click OK to use the filter.
