This is a static archive of our old Q&A Site. Please post any new questions and answers at

Multiple NOT clauses in a capture filter


I just got back from Sharkfest (my first time) and am wicked fired up to try bold new things with Wireshark. As luck would have it, a perfect real-world problem dropped in my lap just this morning.

Background: Our customer sends medical imaging data (DICOM) to our load balancer on TCP port 104, which forwards it to the machine on which I am running dumpcap, and its counterpart, more or less evenly, when things are working correctly. The load balancer strips the original sending device's source IP and substitutes its own.

The customer may also send DICOM directly to this machine or its counterpart, which is "cheating" and not recommended, as it's a form of "cutting in line" and compromises the integrity of load balancing. My goals are two: (1) Determine how much DICOM the load balancer is sending us over a 24-hour period (we can only process so much, and if they send us more, it backs up in the input queue and the customer complains that the images are not timely visible), and (2) Determine whether the customer is cheating by sending directly to our DICOM processors rather than to the load balancer.

Unfortunately, this machine also sends DICOM out to port 104 on other machines, and that traffic is not relevant to our present inquiry. I have tried:

tcp port 104 and not src host [my ip] and not src host [the load balancer's ip]


tcp port 104 and not (src host [my ip] or src host [the load balancer's ip])

but neither one works. What should I be doing instead?

Thank you for your time and consideration.

Andrew Laurence

asked 21 Jun '13, 13:23

Andrew%20Laurence's gravatar image

Andrew Laurence
accept rate: 0%

One Answer:


dumpcap -i <interface> -f "tcp port 104 and (not src host <loadbalancerip> and not src host <urip>)" might be the filter to capture all the traffic coming to or from port 104 with source ip other than your load balancer (or your ip).

I guess you want to capture the traffic that is not source natted from loadbalancer.

dumpcap -i <interface> -f "tcp port 104 and src host<clientip>" might also work right?

answered 21 Jun '13, 14:17

krishnayeddula's gravatar image

accept rate: 6%

edited 21 Jun '13, 14:18