Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

4.9. Filtering while capturing
Prev Chapter 4. Capturing Live Network Data Next

4.9. Filtering while capturing

Wireshark uses the libpcap filter language for capture filters. This is explained in the tcpdump man page, which can be hard to understand, so it's explained here to some extent.

[Tip] Tip!

You will find a lot of Capture Filter examples at https://wiki.wireshark.org/CaptureFilters.

You enter the capture filter into the Filter field of the Wireshark Capture Options dialog box, as shown in Figure 4.3, “The "Capture Options" dialog box”. The following is an outline of the syntax of the tcpdump capture filter language. See the expression option at the tcpdump manual page for details: https://www.tcpdump.org/tcpdump_man.html.

A capture filter takes the form of a series of primitive expressions connected by conjunctions ( and/or ) and optionally preceded by not : 

[not] 
primitive
 [and|or [not] 
primitive
 ...]

An example is shown in Example 4.1, “ A capture filter for telnet that captures traffic to and from a particular host ”.

Example 4.1. A capture filter for telnet that captures traffic to and from a particular host 

tcp port 23 and host 10.0.0.5

This example captures telnet traffic to and from the host 10.0.0.5, and shows how to use two primitives and the and conjunction. Another example is shown in Example 4.2, “ Capturing all telnet traffic not from 10.0.0.5”, and shows how to capture all telnet traffic except that from 10.0.0.5.

Example 4.2. Capturing all telnet traffic not from 10.0.0.5 

tcp port 23 and not src host 10.0.0.5

XXX - add examples to the following list.

A primitive is simply one of the following:

[src|dst] host <host>

This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected.

ether [src|dst] host <ehost>

This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst between the keywords ether and host to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears in either the source or destination address will be selected.

gateway host <host>

This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host .

[src|dst] net <net> [{mask <mask>}|{len <len>}]

This primitive allows you to filter on network numbers. You can optionally precede this primitive with the keyword src|dst to specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that have the specified network in either the source or destination address. In addition, you can specify either the netmask or the CIDR prefix for the network if they are different from your own.

[tcp|udp] [src|dst] port <port>

This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The keywords tcp|udp must appear before src|dst .

If these are not specified, packets will be selected for both the TCP and UDP protocols and when the specified address appears in either the source or destination port field.

less|greater <length>

This primitive allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal to the specified length, respectively.

ip|ether proto <protocol>

This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer.

ether|ip broadcast|multicast

This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts.

<expr> relop <expr>

This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. Please see the tcpdump man page at https://www.tcpdump.org/tcpdump_man.html for more details.

4.9.1. Automatic Remote Traffic Filtering

If Wireshark is running remotely (using e.g. SSH, an exported X11 window, a terminal server, ...), the remote content has to be transported over the network, adding a lot of (usually unimportant) packets to the actually interesting traffic.

To avoid this, Wireshark tries to figure out if it's remotely connected (by looking at some specific environment variables) and automatically creates a capture filter that matches aspects of the connection.

The following environment variables are analyzed:

SSH_CONNECTION (ssh)

<remote IP> <remote port> <local IP> <local port>

SSH_CLIENT (ssh)

<remote IP> <remote port> <local port>

REMOTEHOST (tcsh, others?)

<remote name>

DISPLAY (x11)

[remote name]:<display num>

SESSIONNAME (terminal server)

<remote name>

Prev Up Next
4.8. Link-layer header type Home 4.10. While a Capture is running ...

 
 
  Published under the terms fo the GNU General Public License Design by Interspire