Hi all, need some help with Wireshark, I created the below filter, (ip.src==10.70.40.56) || (ip.src==10.70.40.82) || (ip.dst==10.70.40.56) || (ip.dst==10.70.40.82) || (ip.dst==10.101.30.48) || (ip.src==10.101.30.48) || (eth.addr ==D0:87:E2:23:E0:0E) However it shows everything containing these IP's, I want wireshark to only display output if all of the above conditions are met, so if the mac address condition is not met or another condition is not met I don't want to see it in the output. I only want it to be shown in the output if all the above conditions are met, does anyone know how to do this? Thanks asked 19 Oct '15, 07:52  sheraz35 |
3 Answers:
Change the logical or's (||) to logical and's (&&). answered 19 Oct '15, 07:56  Jim Aragon |
This may be what you want to achieve ... answered 19 Oct '15, 10:08  mrEEde |
While thinking about your description, I can see two 'plausible' filters. Filter #1: communication between the IP addresses (src and dst) addresses and/or the MAC address
But that filter does not make much sense to me , so I came up with the second filter. Filter #2: communication between the addresses 10.70.40.x <-> 10.101.30.48 through a certain gateway D0:87:E2:23:E0:0E
Regards answered 19 Oct '15, 16:15  Kurt Knochner ♦ edited 19 Oct '15, 16:53 |
That will not work. The expression has multiple ip.src and ip.dst filters. If all OR's are replaced by AND's, then nothing will be displayed. For example,
(ip.src==10.70.40.56) && (ip.src==10.70.40.82) ==> how can a packet have 2 IP sources (assuming no tunneling)?
@sheraz35 = you will need to do a combination of AND's and OR's to get you need.
Amato_C, you are, of course, right. I read (hastily) "I want Wireshark to only display output if all of the above conditions are met." mrEEDE's response is probably what is wanted.