Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] Capture filter for ARP, DNS and PING

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 06 Jan 2008 19:45:11 -0800

nilay yildirim wrote:
Thanks. So how about if I wanted to only capture all packets to and from 10.10.10.10 <http://10.10.10.10> ( host ip adress) but just arp, dns and ping? What does this changes? Or I need to create another filter???
ARP packets don't go to or from IP addresses - they go to or from MAC addresses, so you can't capture ARP traffic to or from 10.10.10.10, as that notion makes no sense. 

However, you could do
host 10.10.10.10 and (port domain or icmp[icmptype] = icmp-echo or icmp[icmptype] = icmp-echoreply) 

which will capture DNS and ICMP ping traffic to or from 10.10.10.10.
  • References:
    • [Wireshark-users] Capture filter for ARP, DNS and PING
      • From: nilay yildirim
    • Re: [Wireshark-users] Capture filter for ARP, DNS and PING
      • From: Guy Harris
    • Re: [Wireshark-users] Capture filter for ARP, DNS and PING
      • From: nilay yildirim
  • Prev by Date: [Wireshark-users] Sub-Layer Management
  • Next by Date: Re: [Wireshark-users] Capture filter for ARP, DNS and PING
  • Previous by thread: Re: [Wireshark-users] Capture filter for ARP, DNS and PING
  • Next by thread: Re: [Wireshark-users] Capture filter for ARP, DNS and PING
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation