version 1.6.4, Windows 7, 64 bit, connected to a router then a cable modem. Start WireShark then select Capture -> Captures Filters ... Enter Filter name: "aaa" Filter String: "src port 64.4.231.55" then Select New and restart the capture. The captured packets include data other than those with a source other than specified. How do I get the capture to work? Thanks for your time asked 22 Nov '11, 15:52 bkelly |
3 Answers:
When you select "Capture -> Capture Filters" you will get a window in which you can define, alter and delete capture filters for future use. You can't actually activate a capture filter from there. One of the reasons is that some capture filters might work on some physical interfaces while they might not work on others. That's why you need to activate a capture filter with the capture options when you start your capture session. Go to "Capture -> Options" and use the "Capture Filter" button to select your pre-defined capture filter. Or just type the filter you need in the dialog box. If you're using version 1.7.0 (or higher), you will need to doubleclick on the interface you are going to capture from first, as you can capture on multiple interfaces at once beginning with version 1.7.0 and you can set the capture filter differently for each interface. answered 23 Nov '11, 00:17 SYN-bit ♦♦ |
Two comments:
Do you mean "src host ..." ?
Just creating a named Capture Filter in the Capture Filters window directly doesn't actually set the capture filter to be used on an interface. answered 22 Nov '11, 17:50 Bill Meier ♦♦ edited 22 Nov '11, 17:53 |
I think the "Filtering while capturing" section of the user guide, along with the information hyperlinked from that page, should provide all the help you need, not just for this particular filtering operation, but for any other capture filter you (and others) might need in the future. answered 22 Nov '11, 18:04 cmaynard ♦♦ I had the wrong phrase so I changed it to "src host 69.4.231.55", clicked OK, and none of the packets were from that host. Re: 1.Are you starting from the "Capture Options" window to set the Capture Filter ? Specifically: Do Capture ! Options then select the Capture Filters button. I am not sure I am reading you correctly. If I provide my steps maybe you can identify my error. I start WireShark then select the one interface and click start. From the menu bar between Go and Analyze I select Capture then menu item Capture Filters. Having done this a few times I scroll the window down and select "aaa" That puts "aaa" in the filter name and "src host 69.4.231.55" in the Filter string: Then I click OK. Then I select the tool "Restart the running live capture." After that I do something like click a link in another tab (as I type this in.) There are all kinds of packets captured other than from the host specified. EDIT: From the help file I read: Example 4.1. A capture filter for telnet that captures traffic to and from a particular host tcp port 23 and host 10.0.0.5 And presume that if I enter "host 69.4.231.55" I should see packets only from that one host. I tried exactly that and it did not filter. (22 Nov '11, 18:09) bkelly (Oops, I converted your answer to a comment on the answer to which it doesn't belong. However, please use "add comment" to respond to answers. Have a look at the FAQ for more details) (23 Nov '11, 00:10) SYN-bit ♦♦ |
That did the trick. That path I followed, in my not so humble opinion, shoud have worked. And when I follow this path and bring up options again, it does not show the filter currently in use. The user cannot build on what has already been entered. Making these two changes would be a significant improvement.
That said, Again I must say, thank you for the information and for taking time to post. This does help. You just started out my day on an excelent note.
I made significant progress as noted above. Now I am having trouble filtering out some packets. this works:
host 192.10.11.227
But these are rejected:
host 192.10.11.227 and not proto arp
host 192.10.11.227 and proto not arp
proto not arp and host 192.10.11.227
not proto arp and host 192.10.11.227
So I went to an extreme and entered only
proto arp
which was rejected. From my reading of the help file, some of these should be valid, and certainly the last should be. So here is my question:
What expression is required to get all packets to and from host 192.10.11.227 while rejecting all ARP packets?
ARP is not a protocol that runs on-top of IP, but at the same level as IP, therefor "(ip) proto arp" is not a valid expression.
What you want is:
Regarding your path to a filter. I agree it would be nice to be able to make a capture filter active from the "Capture -> Filters" dialog. However, there are two main problems with that path:
1) Not all capture filters are valid on all interfaces. For example "ether host 00:11:22:33:44:55" is not valid on a PPP interface.
2) You can't change a capture filter on a running job (yet)