This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture filter, syntax error in filter string, wireshark 1.8.2

0

i upgraded to wirshark 1.8.0 , could not get a filter to work , syntex error in filter string . i upgraded to wireshark 1.8.2 , still the same problem . tried two filters filter name = IP address 192.168.0.1 filter string = host 192.168.0.1

filter name = test ip address filter string = ! ( ip.addr == 10.43.54.65 )

each has a error Invalid capture filter "test ip address" for interface Intel(R) 82579LM Gigabit Network Connection: \Device\NPF_{D9470C12-7560-4669-AA38-CC092A8EA807}!

That string isn't a valid capture filter (syntax error). See the User's Guide for a description of the capture filter syntax.

asked 19 Sep '12, 09:16

mwillenb's gravatar image

mwillenb
1111
accept rate: 0%

edited 19 Sep '12, 10:08

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

i even used one of the sample filters that was loaded in the install filter name = IP address 192.168.0.1 filter string = host 192.168.0.1

(19 Sep '12, 09:21) mwillenb

One Answer:

0

each has a error Invalid capture filter "test ip address" for interface Intel(R) 82579LM Gigabit Network Connection: \Device\NPF_{D9470C12-7560-4669-AA38-CC092A8EA807}!

It appears that you are attempting to use the filter name instead of the filter string. But even if you had correctly used the filter string, it would have still failed in those cases because those are display filters, not capture filters. If you are adding capture filters, then they must be in proper capture filter syntax. A proper filter will cause the background of the filter string field to turn green. This document may help you with capture filter syntax, or refer to the pcap-filter man page. For IP display filter help, see the Wireshark Internet_protocol wiki page.

Lastly, don't forget about the Wireshark user guide.

answered 19 Sep '12, 10:07

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

i got it working , but my complaint is still valid ,
if i only select the CAPTURE pull down menu and CLICK the CAPTURE FILTER on the menu bar i get a new window " Wireshark Capture Filter - Profile Default. try to creat a filter profile
filter name test ip address filter string ip addr == 216.69.108.117

then i duble click the interface , to get the " Edit Iterface Settings " screen and try to fill in the Capture Filter: by picking the filter ,
the field fills in with ip addr == 216.69.108.117 i start the capture and get the bad syntex error .

but i set the capture filter profile anf the edit interface setting back to default . then i add to the Filter field ip.addr == 216.69.108.117 and start the capture this set up works so i will do this for a capture filter .

i will ignore the " Wireshark Capture Filter Profiler " and the " edit interface settings / capture filter field "

(19 Sep '12, 11:38) mwillenb

in the previous letter , i did use

ip.addr == 216.69.108.117

the

ip addr == 216.69.108.117 was a typo

(19 Sep '12, 11:40) mwillenb

"ip.addr == 216.69.108.117" is a display filter, not a capture filter. That's why it fails. Review display filters vs. capture filters for proper syntax. In this particular case though, the capture filter you want is "ip host 216.69.108.117".

(19 Sep '12, 11:46) cmaynard ♦♦