This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Query about combining capture filter

0

Hello all,

I am new to wireshark and wireshark community. I am preparing for wcna exam and have the below query. I am right now studying packet capture filters and I am successfully able to write this filter

tcp[1] == 80 , while i want to also to do the filter tcp[1]== 80 & tcp[2] == 443, wireshark is not accepting the filter, while wireshark is accepting tcp[1]==80 & tcp[2]

Anything that I am missing or misunderstood about 'anding'

Thank you Rakesh M

asked 16 Sep '12, 21:13

rakesh's gravatar image

rakesh
0111
accept rate: 0%

Hello ,

I have realized that i should have used 'and' instead of '&' :).

Thanks

(16 Sep '12, 21:29) rakesh
1

You can use:
- and
- &&

You can find more information about combining expressions in the Wireshark User's Guide.

(16 Sep '12, 22:37) joke

One Answer:

1

Yes, you should have used 'and' or '&&' instead of '&', but there's more that needs to be corrected with this filter.

It looks like you're trying to filter on TCP port numbers. The TCP source port is a 2-byte field that starts at tcp[0]. tcp[1] is the second byte of the source port field. So "tcp[1]=80" will capture traffic whose source port is 80 (0x0050), but it will also capture traffic whose source port is 53,840 (0xD250). It will capture all traffic where the second byte of the source port field is 80. You want "tcp[0:2]==80" so that you're comparing the value '80' against the entire two-byte field.

Same for "tcp[2]==443". tcp[2] is the first byte of the 2-byte destination port field. You want "tcp[2:2]==443".

Putting all this together, we get "tcp[0:2]==80 && tcp[2:2]==443". This is a syntactically valid capture filter that Wireshark will accept, but it's very unlikely to capture any traffic. In plain English, this filter means "capture all traffic where the source port is 80 and the destination port is 443."

In a web browsing session, the web server would likely be using port 80 if the traffic is HTTP, or port 443 if the traffic is HTTPS. Both of these ports are in the "well-known port range." However, the client would be using an ephemeral port that would be a higher number. Exactly what range is used for ephemeral ports depends on the operating system, but it certainly would be above 1,024. You're probably never going to see port 80 AND port 443 as source and destination in the same TCP packet.

answered 16 Sep '12, 22:27

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Thank you very much joke. And Jim, you have cleared the last bit of doubt in my mind. Actually to speak with i was worried rather not understood the length reading the book. Now it confirms exactly what is that field. I should have used an OR as I have realized later that the filter with 'and' operation should not / Do not make any sense. Thank you very much

I initially felt bad asking this question , but now i made a right thing. No matter how silly the question there is always more we learn :)

(16 Sep '12, 23:42) rakesh

How about "tcp[0:2]==80 || tcp[0:2]==443 || tcp[2:2]==80 || tcp[2:2]==443" to capture all HTTP and HTTPS traffic in both directions?

(17 Sep '12, 11:33) Jim Aragon