This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

cannot join tshark packet capture filters

0

The following two filters work fine individually to block unwanted packets

tshark -i mon0 -f "not ether host AA:AA:AA:AA:AA:AA"

tshark -i mon0 -f "not ether host BB:BB:BB:BB:BB:BB"

but if i join the above filters,as shown below, then they do not block any packets.

tshark -i mon0 -f "not ether host AA:AA:AA:AA:AA:AA and not ether host BB:BB:BB:BB:BB:BB"

tshark ver = 1.10.2

asked 14 Jul '15, 11:38

packetgeek's gravatar image

packetgeek
6113
accept rate: 0%

edited 14 Jul '15, 11:44

One Answer:

0

You're using the wrong logical operator. Your filter as written will only block packets from AA:AA:AA:AA:AA:AA (hereafter "A") to BB:BB:BB:BB:BB:BB (hereafter "B") and from B to A. It sounds like you want to block all packets to and from A, and all packets to and from B, not just packets between A and B. Change your capture filter to:

-f "not (ether host AA:AA:AA:AA:AA:AA or ether host BB:BB:BB:BB:BB:BB)"

answered 14 Jul '15, 13:16

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%