This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter display for multiple IP’s

0

Hi

Can anyone help me to filter a display so that it shows all traffic between just three IP's, please?

I can successfully filter for two IP's,

ip.addr==x.x.x.x && ip.addr==y.y.y.y

but trying to filter the display so that it shows three IP's results in the majority of the capture being displayed.

Thanks!

asked 13 Oct '16, 08:06

Blood's gravatar image

Blood
6112
accept rate: 0%

One Answer:

0

If you name the 3 PC's a, b and c then the traffic you want is:

a -> b or a -> c
b -> a or b -> c
c -> a or c -> b

So that gives a filter of:

(ip.src == a && ((ip.dst == b) || (ip.dst == c))) || (ip.src == b && ((ip.dst == a) || (ip.dst == c))) || (ip.src == c && ((ip.dst == a) || (ip.dst == b)))

answered 13 Oct '16, 09:37

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 13 Oct '16, 12:34

2

Going with this notation it should be possible to compress this into

(ip.addr == A && (ip.addr == B || ip.addr == C)) || (ip.addr == B && ip.addr == C)

First part picks up the legs A <-> B and A <-> C, where the last part covers the leg B <-> C

(13 Oct '16, 12:08) Jaap ♦

Ha! No wonder I could not get it to work.

Thanks very much for the help!

(19 Oct '16, 07:48) Blood