This is our old Q&A Site. Please post any new questions and answers at

I just got back from Sharkfest (my first time) and am wicked fired up to try bold new things with Wireshark. As luck would have it, a perfect real-world problem dropped in my lap just this morning.

Background: Our customer sends medical imaging data (DICOM) to our load balancer on TCP port 104, which forwards it to the machine on which I am running dumpcap, and its counterpart, more or less evenly, when things are working correctly. The load balancer strips the original sending device's source IP and substitutes its own.

The customer may also send DICOM directly to this machine or its counterpart, which is "cheating" and not recommended, as it's a form of "cutting in line" and compromises the integrity of load balancing. My goals are two: (1) Determine how much DICOM the load balancer is sending us over a 24-hour period (we can only process so much, and if they send us more, it backs up in the input queue and the customer complains that the images are not timely visible), and (2) Determine whether the customer is cheating by sending directly to our DICOM processors rather than to the load balancer.

Unfortunately, this machine also sends DICOM out to port 104 on other machines, and that traffic is not relevant to our present inquiry. I have tried:

tcp port 104 and not src host [my ip] and not src host [the load balancer's ip]


tcp port 104 and not (src host [my ip] or src host [the load balancer's ip])

but neither one works. What should I be doing instead?

Thank you for your time and consideration.

Andrew Laurence

asked 21 Jun '13, 13:23

Andrew%20Laurence's gravatar image

Andrew Laurence
accept rate: 0%

dumpcap -i <interface> -f "tcp port 104 and (not src host <loadbalancerip> and not src host <urip>)" might be the filter to capture all the traffic coming to or from port 104 with source ip other than your load balancer (or your ip).

I guess you want to capture the traffic that is not source natted from loadbalancer.

dumpcap -i <interface> -f "tcp port 104 and src host<clientip>" might also work right?

permanent link

answered 21 Jun '13, 14:17

krishnayeddula's gravatar image

accept rate: 6%

edited 21 Jun '13, 14:18

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 21 Jun '13, 13:23

question was seen: 2,810 times

last updated: 21 Jun '13, 14:18

p​o​w​e​r​e​d by O​S​Q​A