4.9. Filtering while capturing
Wireshark uses the libpcap filter language for capture filters.
This is explained in the tcpdump man page, which can be hard to
understand, so it's explained here to some extent.
You enter the capture filter into the Filter field of the Wireshark
Capture Options dialog box, as shown in
Figure 4.3, “The "Capture Options" dialog box”. The following is an outline
of the syntax of the
tcpdump
capture filter language.
See the expression option at the tcpdump manual page for details:
https://www.tcpdump.org/tcpdump_man.html.
A capture filter takes the form of a series of primitive expressions
connected by conjunctions (
and/or
) and optionally
preceded by
not
:
[not]
primitive
[and|or [not]
primitive
...]
An example is shown in Example 4.1, “
A capture filter for telnet that captures traffic to and from a
particular host
”.
Example 4.1.
A capture filter for telnet that captures traffic to and from a
particular host
tcp port 23 and host 10.0.0.5
This example captures telnet traffic to and from the host
10.0.0.5, and shows how to use two primitives and the
and
conjunction. Another example is shown in
Example 4.2, “
Capturing all telnet traffic not from 10.0.0.5”, and shows how to capture all
telnet traffic except that from 10.0.0.5.
Example 4.2.
Capturing all telnet traffic not from 10.0.0.5
tcp port 23 and not src host 10.0.0.5
XXX - add examples to the following list.
A primitive is simply one of the following:
-
[src|dst] host <host>
-
This primitive allows you to filter on a host IP
address or name. You can optionally precede the
primitive with the keyword
src|dst
to specify that you are only interested in source or
destination addresses. If these are not present,
packets where the specified address appears as either
the source or the destination address will be selected.
-
ether [src|dst] host <ehost>
-
This primitive allows you to filter on Ethernet host
addresses. You can optionally include the keyword
src|dst
between the keywords
ether
and
host
to specify that you are only interested in source
or destination addresses. If these are not present,
packets where the specified address appears in either
the source or destination address will be selected.
-
gateway host <host>
-
This primitive allows you to filter on packets that
used
host
as a gateway. That is, where
the Ethernet source or destination was
host
but neither the source nor
destination IP address was
host
.
-
[src|dst] net <net> [{mask <mask>}|{len <len>}]
-
This primitive allows you to filter on network numbers.
You can optionally precede this primitive with the
keyword
src|dst
to specify that you
are only interested in a source or destination network.
If neither of these are present, packets will be
selected that have the specified network in either the
source or destination address. In addition, you can
specify either the netmask or the CIDR prefix for the
network if they are different from your own.
-
[tcp|udp] [src|dst] port <port>
-
This primitive allows you to filter on TCP and UDP port
numbers. You can optionally precede this primitive with
the keywords
src|dst
and
tcp|udp
which allow you to specify
that you are only interested in source or destination
ports and TCP or UDP packets respectively. The
keywords
tcp|udp
must appear before
src|dst
.
If these are not specified, packets will be selected
for both the TCP and UDP protocols and when the
specified address appears in either the source or
destination port field.
-
less|greater <length>
-
This primitive allows you to filter on packets whose
length was less than or equal to the specified length,
or greater than or equal to the specified length,
respectively.
-
ip|ether proto <protocol>
-
This primitive allows you to filter on the specified
protocol at either the Ethernet layer or the IP layer.
-
ether|ip broadcast|multicast
-
This primitive allows you to filter on either
Ethernet or IP broadcasts or multicasts.
-
<expr> relop <expr>
-
This primitive allows you to create complex filter
expressions that select bytes or ranges of bytes in
packets. Please see the tcpdump man page at
https://www.tcpdump.org/tcpdump_man.html for more details.
4.9.1. Automatic Remote Traffic Filtering
If Wireshark is running remotely (using e.g. SSH, an exported X11 window,
a terminal server, ...), the remote content has to be transported over
the network, adding a lot of (usually unimportant) packets to the actually
interesting traffic.
To avoid this, Wireshark tries to figure out if it's remotely connected
(by looking at some specific environment variables) and automatically
creates a capture filter that matches aspects of the connection.
The following environment variables are analyzed:
-
SSH_CONNECTION
(ssh)
-
<remote IP> <remote port> <local IP> <local port>
-
SSH_CLIENT
(ssh)
-
<remote IP> <remote port> <local port>
-
REMOTEHOST
(tcsh, others?)
-
<remote name>
-
DISPLAY
(x11)
-
[remote name]:<display num>
-
SESSIONNAME
(terminal server)
-
<remote name>