This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

A bit advanced filter

0

Hello, in the Wireshark filter I can display all packets destined to 10.0.0.1 address:

ip.dst == 10.0.0.1

After that Wireshark will show a lot of packets with different IP source addresses. It is clear.

But how can I display pakets with other IP destinations with exactly above IP sources (if there are)? I can check each IP source but it is long and time consuming process.

Simply: "display packets destined to 10.0.0.2, but only these having the same source addresses which we can find in another packets source addresses destined to 10.0.0.1"

asked 07 Nov '13, 14:49

net16's gravatar image

net16
466712
accept rate: 0%

2 Answers:

1

so, you want to do this:

100.100.100.100 -> 10.0.0.1
200.200.200.200 -> 10.0.0.1

then create a filter that shows only frames from 100.100.100.100 and/or 200.200.200.200 to 10.0.0.2, like the marked frames below.

100.100.100.100 -> 10.0.0.2
1.2.3.4 -> 10.0.0.2
10.1.1.1 -> 10.0.0.2
200.200.200.200 -> 10.0.0.2

That is not possible with a simple display filter, as it would require a conditional filter, based on attributes of other frames.

What you can do:

Run tshark to find all source addresses. Then build a display filter with those list and apply that filter in Wireshark.

Linux: tshark -nr input.pcap -Y "ip.dst == 10.0.0.1" -T field -e ip.src | sort -u

You will get the following list:

100.100.100.100
200.200.200.200

Now create the display filter

(ip.addr eq 100.100.100.100 and ip.addr eq 10.0.0.2) or (ip.addr eq 200.200.200.200 and ip.addr eq 10.0.0.2)

or

ip.addr eq 10.0.0.2 and (ip.addr eq 100.100.100.100 or ip.addr eq 200.200.200.200)

With a small script you should be able to automate this process.

Regards
Kurt

answered 07 Nov '13, 15:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 07 Nov '13, 15:11

Kurt, thank you for your answer. I was doing exactly as you have written, but the IPs list I obtained by Conversation statistics manner (as Jasper wrote). I hoped that a conditional filter I can use by such manner. I have a quite a lot of similar problems and a conditional filter would be very useful. Regards.

(07 Nov '13, 15:49) net16

I have a quite a lot of similar problems and a conditional filter would be very useful.

yes, but there is no conditional filter

Your options are:

  • file an enhancement bug at https://bugs.wireshark.org but don't expect too much, as that would be a rather though thing to implement
  • use tshark and some scripting to automate the process, as I have shown
(07 Nov '13, 15:54) Kurt Knochner ♦

It is expectation rather than a bug ;) but perhaps I will try to report it. Thank you very much!

(07 Nov '13, 16:55) net16

enhancement 'bug' ;-)

(07 Nov '13, 17:05) Kurt Knochner ♦

1

That's what the conversation statistics is used for. Filter on either source or destination you want, and then use the conversation statistic with "Limit to display filter" checked. Go to the "IPv4" tab and you'll see all addresses the filtered address talks to. You can then either export that list, or filter from there on specific connections by using the popup menu.

answered 07 Nov '13, 15:02

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper, thank you for your answer. I have tried Conversation statistics earlier, but I receive hundreds addresses destined to 10.0.0.1 on IPv4 list and it was not helpful. But what do you mean writing "filter from there on specific connections by using the popup menu"? I can only copy list of addresses and manually write filter rule as I was doing.

(07 Nov '13, 15:39) net16
1

you can right click on any connection in the list in use the popup menu to filter on the connection. It will replace your existing display filter and modify your Conversation Statistics as well though.

(07 Nov '13, 17:21) Jasper ♦♦

ok, thank you very much!

(07 Nov '13, 18:08) net16