Wireshark-users: Re: [Wireshark-users] a question on capture filter
From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Mon, 24 Sep 2012 17:03:48 +0000 (UTC)
esolve esolve <esolvepolito@...> writes: > Hi, I want to capture packets with capture filter like: host 138.56.169.25 and (not host 138.52.69.45) and (not ntp) and (not igmp) so the packets I want to capture are with 138.56.169.25 as src/dst, but without 138.52.69.45 as src/dst, and should not be ntp or igmp packets. But the capture results are not as expected, can anyone know where is wrong? thanks! You might try the following filter: (not udp port 123 and not igmp) and (ip src host 138.56.169.25 and not ip dst host 138.52.69.45) or (ip dst host 138.56.169.25 and not ip src host 138.52.69.45) If you want to see what the generated BPF code is for a given filter, then use: dumpcap -d -f <capture-filter> I think it will help you see the difference between your original capture filter and this one. Yours: $ wireshark-gtk2/dumpcap.exe -i 4 -d -f "host 138.56.169.25 and (not host 138.52.69.45) and (not udp port 123) and (not igmp)" (000) ldh [12] (001) jeq #0x800 jt 2 jf 20 (002) ld [26] (003) jeq #0x8a38a919 jt 4 jf 6 (004) ld [30] (005) jeq #0x8a34452d jt 31 jf 10 (006) ld [30] (007) jeq #0x8a38a919 jt 8 jf 31 (008) ld [26] (009) jeq #0x8a34452d jt 31 jf 10 (010) ldb [23] (011) jeq #0x11 jt 12 jf 19 (012) ldh [20] (013) jset #0x1fff jt 30 jf 14 (014) ldxb 4*([14]&0xf) (015) ldh [x + 14] (016) jeq #0x7b jt 31 jf 17 (017) ldh [x + 16] (018) jeq #0x7b jt 31 jf 30 (019) jeq #0x2 jt 31 jf 30 (020) jeq #0x806 jt 22 jf 21 (021) jeq #0x8035 jt 22 jf 31 (022) ld [28] (023) jeq #0x8a38a919 jt 24 jf 26 (024) ld [38] (025) jeq #0x8a34452d jt 31 jf 30 (026) ld [38] (027) jeq #0x8a38a919 jt 28 jf 31 (028) ld [28] (029) jeq #0x8a34452d jt 31 jf 30 (030) ret #65535 (031) ret #0 Capturing on \Device\NPF_{76D7A2F9-A2AC-4961-A847-7460FF6210FC} Mine: $ wireshark-gtk2/dumpcap.exe -i 4 -d -f "(not udp port 123 and not igmp) and (ip src host 138.56.169.25 and not ip dst host 138.52.69.45) or (ip dst host 138.56.169.25 and not ip src host 138.52.69.45)" (000) ldh [12] (001) jeq #0x86dd jt 22 jf 2 (002) jeq #0x800 jt 3 jf 22 (003) ldb [23] (004) jeq #0x11 jt 5 jf 12 (005) ldh [20] (006) jset #0x1fff jt 13 jf 7 (007) ldxb 4*([14]&0xf) (008) ldh [x + 14] (009) jeq #0x7b jt 17 jf 10 (010) ldh [x + 16] (011) jeq #0x7b jt 17 jf 13 (012) jeq #0x2 jt 17 jf 13 (013) ld [26] (014) jeq #0x8a38a919 jt 15 jf 17 (015) ld [30] (016) jeq #0x8a34452d jt 22 jf 21 (017) ld [30] (018) jeq #0x8a38a919 jt 19 jf 22 (019) ld [26] (020) jeq #0x8a34452d jt 22 jf 21 (021) ret #65535 (022) ret #0 Capturing on \Device\NPF_{76D7A2F9-A2AC-4961-A847-7460FF6210FC} - Chris Ref: http://www.wireshark.org/docs/man-pages/dumpcap.html
- Follow-Ups:
- Re: [Wireshark-users] a question on capture filter
- From: Christopher Maynard
- Re: [Wireshark-users] a question on capture filter
- References:
- [Wireshark-users] a question on capture filter
- From: esolve esolve
- [Wireshark-users] a question on capture filter
- Prev by Date: [Wireshark-users] a question on capture filter
- Next by Date: Re: [Wireshark-users] a question on capture filter
- Previous by thread: [Wireshark-users] a question on capture filter
- Next by thread: Re: [Wireshark-users] a question on capture filter
- Index(es):
- Get Wireshark
- Download
- Code of Conduct