This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

mDNS Protocol filtering

0

I know that for some protocols, such as http, you can just type "http" in the filter box and wireshark will filter it. However, this doesn't seem to work for many protocols, including MDNS, which is what I'm trying to filter on right now.

Is there a way to filter on what is ACTUALLY displayed in the PROTOCOL column of the list?

asked 02 Aug '13, 07:22

ev1lr0b0t's gravatar image

ev1lr0b0t
1224
accept rate: 50%

One Answer:

1

However, this doesn't seem to work for many protocols, including MDNS,

You can only search for those 'fields' that are registered by a dissector. As the DNS dissector (which also handles MDNS), does not register a field "MDNS", you can't search for it.

Is there a way to filter on what is ACTUALLY displayed in the PROTOCOL column of the list?

No, that's currently not possible, as there is no way to do a text search in the columns itself.

A possible solution for your problem is this display filter.

dns and udp.port eq 5353

which is a simple definition for MDNS. You can also include the multicast IP

dns and udp.port eq 5353 and ip.addr eq 224.0.0.0/24

Regards
Kurt

answered 08 Aug '13, 02:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%