How to quickly prepare a Display filter like “ip.addr == x.x.x.x” ? (solved)

Question

While displaying an interesting packet, it is often needed to filter all traffic on an IP address, but not only as source or destination as the right-click filtering permits in the main GUI window.

Actually, I prepare a filter like ip.src == x.x.x.x then replace src by addr to get what all traffic to/from this host.

Is there another way to create it from the main GUI window?

[edit]: a Lua script permits to quickly build the filter, see below

Answer 1

At last, I have written a Lua post-dissector that match my needs, adapted from the "trivial" pseudo-protocol seen in the Lua tutorial; it adds an "Endpoints" element to the tree, that permits to "Prepare" an ip.addr filter :

-- ip-addr postdissector example
-- declare some Fields to be read
ip_src_f = Field.new("ip.src")
ip_dst_f = Field.new("ip.dst")
– declare our (pseudo) protocol
endpoints_proto = Proto("endpoints","Endpoints list")
– create the fields for our "protocol"
src_F = ProtoField.string("ip.addr","Source")
dst_F = ProtoField.string("ip.addr","Destination")
– add the field to the protocol
endpoints_proto.fields = {src_F, dst_F}
– create a function to "postdissect" each frame
function endpoints_proto.dissector(buffer,pinfo,tree)
– obtain the current values the protocol fields
local ip_src = ip_src_f()
local ip_dst = ip_dst_f()
if ip_src then
local subtree = tree:add(endpoints_proto,"IP Endpoints")
local src = tostring(ip_src)
local dst = tostring(ip_dst)
subtree:add(src_F,src)
subtree:add(dst_F,dst)
end

end
– register our protocol as a postdissector
register_postdissector(endpoints_proto)

Here is the resulting tree element, seen in the middle pane:

———————–
[-] Endpoints
Source: 10.0.0.1
Destination: 10.0.0.2
———————–

Answer 2

They are just hidden; to make the pseudo-fields (ip.addr, ip.host etc.) appear, choose :

Edit - Preferences - Protocols - Display hidden protocols items

Then the field giving the ip.addr filter is found in the middle pane, and looks like this:

<Source or Destination Address : 10.1.2.3(10.1.2.3)>

Answer 3

No, this is not possible from the GUI for the IP addresses. For ethernet addresses, it is possible, if you open the packet details and expnd the source or destination mac-address, the address will be listed again, this time without source or destination. You can now use "Apply as filter" and it will use eth.addr instead of eth.src or eth.dst.

If you would find it useful to have this for IP addresses too, you might want to open up an enhancement request on https://bugs.wireshark.org

Answer 4

Well, like Sake said, there isn't an "ip.addr" field in the packet to right-click on.

Given that I'm a lousy tpyist, I'd probably rather pull the ip.addr== from a pre-made filter. The image below shows one of my display filter sets... (the IP address filter doesn't have the exclamation point at the beginning in the string). I'd rather click than type any day <g>. Oh sure, Wireshark complains a bit as the filter isn't completed, but I don't have to backspace or type in the beginning, so it works for me.

BTW, I edited the order in Notepad (and added the separator and indents)...

alt text

Answer 5

Too bad for the Gui, and the usage of filters isn't so easy as I hoped.

Perhaps with some Lua scripts ?

This one is really too simple, but seems to go in the right direction, without requiring too much clicks.

-- put this script in your init.lua file, and click on the Tools menu 
-- to copy the desired string in the clipboard
function stringipaddr()       copy_to_clipboard("ip.addr == ") end
function stringnotipaddr()    copy_to_clipboard("!ip.addr == ") end
register_menu("Copy string &quot;ip.addr == &quot;", stringipaddr,   MENU_TOOLS_UNSORTED)
register_menu("Copy string &quot;!ip.addr == &quot;",stringnotipaddr,MENU_TOOLS_UNSORTED)

If I understand the concepts of Lua well, it could even be possible to register a new element to the right-click menu. I hope to find something about it soon, otherwise the enhancement request on the list will be the choice.