This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter only if conditions are met?

0

Hi all, need some help with Wireshark,

I created the below filter,

(ip.src==10.70.40.56) || (ip.src==10.70.40.82) || (ip.dst==10.70.40.56) || (ip.dst==10.70.40.82) || (ip.dst==10.101.30.48) || (ip.src==10.101.30.48) || (eth.addr ==D0:87:E2:23:E0:0E)

However it shows everything containing these IP's, I want wireshark to only display output if all of the above conditions are met, so if the mac address condition is not met or another condition is not met I don't want to see it in the output. I only want it to be shown in the output if all the above conditions are met, does anyone know how to do this? Thanks

asked 19 Oct '15, 07:52

sheraz35's gravatar image

sheraz35
6112
accept rate: 0%


3 Answers:

0

Change the logical or's (||) to logical and's (&&).

answered 19 Oct '15, 07:56

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

That will not work. The expression has multiple ip.src and ip.dst filters. If all OR's are replaced by AND's, then nothing will be displayed. For example,

(ip.src==10.70.40.56) && (ip.src==10.70.40.82) ==> how can a packet have 2 IP sources (assuming no tunneling)?

@sheraz35 = you will need to do a combination of AND's and OR's to get you need.

(19 Oct '15, 08:33) Amato_C

Amato_C, you are, of course, right. I read (hastily) "I want Wireshark to only display output if all of the above conditions are met." mrEEDE's response is probably what is wanted.

(19 Oct '15, 11:46) Jim Aragon

0

This may be what you want to achieve ...

eth.addr ==D0:87:E2:23:E0:0E && (ip.addr==10.70.40.56 || ip.addr==10.70.40.82 || ip.addr==10.70.40.82)

answered 19 Oct '15, 10:08

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

0

While thinking about your description, I can see two 'plausible' filters.

Filter #1: communication between the IP addresses (src and dst) addresses and/or the MAC address

eth.addr ==D0:87:E2:23:E0:0E or ((ip.addr == 10.70.40.56 or ip.addr == 10.70.40.82 or ip.addr == 10.101.30.48 ) and (ip.addr == 10.70.40.56 or ip.addr == 10.70.40.82 or ip.addr == 10.101.30.48))

But that filter does not make much sense to me , so I came up with the second filter.

Filter #2: communication between the addresses 10.70.40.x <-> 10.101.30.48 through a certain gateway D0:87:E2:23:E0:0E

eth.addr == D0:87:E2:23:E0:0E and (ip.addr == 10.101.30.48 and (ip.addr == 10.70.40.56 or ip.addr == 10.70.40.82))

Regards
Kurt

answered 19 Oct '15, 16:15

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Oct '15, 16:53