Hi, I am trying to capture traffic/dropped packets between two servers, I have wireshark installed on server1 (example; 192.168.1.1) I clicked on the interface I want to capture, and then in the filter box I put in the below... I have in there "host 192.168.1.1 and host 192.168.1.2" I tried it with the "" and without It gives me the error: "hostname 192.168.1.1 and hostname 192.168.1.2 is neither a field nor a protocal name. The following display filter isnt a valid display filter" Any ideas? asked 02 May '13, 09:56 sharwal |
One Answer:
Wireshark has two kinds of filters: display filters and capture filters. Obviously you tried to enter a capture filter into the display filter box, which doesn't work. If you want to use the filter you specified to limit what packets are captured you need to do it on the capture interface: open the capture options dialog, double click on the interface, and put your filter into the capture filter box. If you want to capture everything and just display the two IPs you can use a display filter, in your case "ip.addr==192.168.1.1 and ip.addr==192.168.1.2". answered 02 May '13, 10:04 Jasper ♦♦ |
@sharwal
FYI, there is info about capture and display filters in the user guide and on the wiki; Capture Filters Display Filters
I only want to capture traffic between the two servers.... where is the capture options? I click on Capture at the top and don't see any options field, do I click on Capture Filter and enter it under field string?
Use the menu "Capture" -> "Options" and you'll see a list of interfaces. Double click on the one you want to capture on (this is assuming you're using 1.8.x or later) and you'll see a field called "Capture Filter"