This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture Filter

0

Hi, What is the syntax in the latest Wireshark version to select 2 ip addresses for a capture filter? Thanks. Eric

asked 18 Oct '17, 08:53

ekatow's gravatar image

ekatow
6112
accept rate: 0%

The syntax is the same as it's always been as it's BPF syntax as shown here.

Do you only want packets between the 2 IP addresses or packets to or from either address?

(18 Oct '17, 09:08) grahamb ♦

Traffic to and from either address

(18 Oct '17, 09:12) ekatow

For example, you want to see all traffic to or from 192.9.200.1 and all traffic to or from 192.9.200.2, regardless of what host traffic to 192.9.200.{1,2} is coming from and what host traffic from 192.9.200.{1,2} is going to?

(18 Oct '17, 09:25) Guy Harris ♦♦

Ideally, I want to see what is coming from 192.9.200.1 (requests) and what is coming from 192.9.200.2 (responses).

(18 Oct '17, 09:27) ekatow

I.e., you want to see all traffic from 192.9.200.1 and all traffic from 192.9.200.2?

What about traffic to those hosts?

Or do you only want the traffic between 192.9.200.1 and 192.9.200.2, i.e. packets from 192.9.200.1 to 192.9.200.2 and packets from 192.9.200.2 to 192.9.200.1, and no packets from or to one of those hosts to or from any third host?

(18 Oct '17, 09:30) Guy Harris ♦♦

only want the traffic between 192.9.200.1 and 192.9.200.2, i.e. packets from 192.9.200.1 to 192.9.200.2 and packets from 192.9.200.2 to 192.9.200.1.

(18 Oct '17, 09:31) ekatow

Still unclear to me,the filter doesn't know about requests and responses only source and destination. Given hosts of interest, a & b there can be the following types of traffic:

  1. a -> b
  2. b -> a
  3. a -> somewhere other than b
  4. somewhere other than b -> a
  5. b -> somewhere other than a
  6. somewhere other than a -> b
  7. somewhere other than a or b -> somewhere other than a or b

Which of these do you want?

(18 Oct '17, 09:34) grahamb ♦

1 and 2: From a to b. and what b had to say about what a sent.

(18 Oct '17, 09:37) ekatow
showing 5 of 8 show 3 more comments

One Answer:

0

If you want "packets from 192.9.200.1 to 192.9.200.2 and packets from 192.9.200.2 to 192.9.200.1.", then the capture filter would be

(ip src 192.9.200.1 and ip dst 192.9.200.2) or (ip src 192.9.200.2 and ip dst 192.9.200.1)

You can also use host names, but you'd have to use ip6 rather than ip to check for IPv6 packets.

This will not, however, limit itself to, for example, requests from 192.9.200.1 and responses to those requests from 192.9.200.2; it will include all packets, whether the ones from 192.9.200.1 happen to be requests or not and whether the ones from 192.9.200.2 happen to be responses or not. All that filter looks at are IP addresses in the IPv4 header (or, for ip6, in the IPv6 header).

answered 18 Oct '17, 09:47

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

If you want traffic in both directions, you could shorten this to "host 192.9.200.1 and host 192.9.200.2".

(19 Oct '17, 16:27) Jim Aragon