This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter packets between two devices in a capture

0

Hello,

I want to filter communication between two devices in a capture, regardless if the device is sender or receiver of a packet. Device 1 has the IP-Address 192.168.12.160 and device 2 has 192.168.12.161. How can I do that? Thanks.

Darius

asked 18 May '16, 06:24

Darius's gravatar image

Darius
6112
accept rate: 0%

Thank you for the quick answers.

(18 May '16, 07:14) Darius

2 Answers:

0

ip.addr== 192.168.12.160 and ip.addr==192.168.12.161

The "ip.addr" checks if either source or destination field match, so if you force both with "and" you'll only get conversations between those two.

answered 18 May '16, 06:29

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Doesn't work for me.

I'm also trying to capture traffic between a router and a Phone (VOIP)

I have Wireshark 2.0.4 network is a IP-VPN

pc with wireshark have ip 10.11.7.20 router ip 10.11.27.254 Phone ip 10.11.27.7

I can ping from 10.11.7.20 to 10.11.27.254 and 10.11.27.7

When i set the display filter; ip.addr==10.11.27.254 and ip.addr==10.11.27.7 traffic is not shown.

What am i doing wrong?

(13 Jul '16, 02:33) George Bonset

Be more specific on the exact hardware interconnection you use. E.g. if your capturing PC is connected to a normal port of a switch to which the ip phone and the router are connected too, the traffic you are interested in never reaches the switch port to which your PC is connected, hence you cannot capture it. See Wireshark Wiki on capture setup for details.

(13 Jul '16, 02:52) sindy

so, you can not use wireshark on a remote pc then. Even if it's in a ip-vpn network

(13 Jul '16, 03:05) George Bonset

That depends on what exactly means remote. You haven't provided your topology, but I assume that your PC has a normal internet connection and a VPN interface which gets an address from the 10.11.7.0/24 subnet while the devices you wish to capture are in 10.11.27.0/24 subnet. In this case, your chances for direct capture are very low because there is a routing between the two subnets.

If, however, both your PC's VPN address and the two remote devices are in 10.11.0.0/16 subnet, your chances are higher if you can convince the virtual switch at the remote end to send a copy of the traffic between the two devices to your VPN interface's virtual MAC address.

It may also be possible to run a capture directly on the router and let it store it into a file (many of them allow this, albeit most of them have storage space limitation so you can only capture short periods of time) or, instead, to send you a copy of the traffic matching a capture filter encapsulated into UDP packets with a special header (this is what e.g. Mikrotik routers can do).

If the router is linux-based, you may run tcpdump on it, saving the capture to a file and download the file for opening in Wireshark on your PC, or pipe it to the PC if storage space is small (see other Questions on this site for a howto).

For capturing at one of the devices involved in the captured communication (the router) one way or another, it is not important whether your PC's VPN interface shares a subnet with the captured devices' interfaces or not.

(13 Jul '16, 03:53) sindy

0

Have a look at using ip.addr in your address filter. It is created for both source and destination IPv4 address. You can find more info in the Wiki and in the Users Guide

answered 18 May '16, 06:33

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%