This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter Capturing

0

Hello i have some problems with filter capturing. is it possible to capture only one ip address for example, i want to capture ip 10.10.10.1 or www.youtube.com, how can i do with it ?

asked 26 Jul '17, 23:57

Samann's gravatar image

Samann
5334
accept rate: 0%

One Answer:

0

Capture filter syntax differs from display filter syntax, so to capture only 10.10.10.1, you need to use host 10.10.10.1.

However, there is no capture syntax for fqdn (like www.youtube.com) for many reasons:

  • translation of fqdn to IP address is done using DNS, and there is no feedback from the dissection of the DNS response to the capture filter, leaving aside that the DNS responses are locally cached

  • a single fqdn may translate to several IP addresses (for load sharing and reliability purposes)

  • several fqdns may be hosted on a single IP address so you cannot determine which flow belongs to which fqdn by just the IP address.

answered 27 Jul '17, 00:11

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%