?
Solved

Wireshark Filter I need this fast

Posted on 2006-11-20
6
Medium Priority
?
1,698 Views
Last Modified: 2007-12-19
Trying to make a filter to watch traffic from or to a couple different hosts that are using either port 25 or port 110 traffic.


host 10.64.2.167 or host 10.64.1.28 and tcp port 25 or port 110

Using this one I seem to get the ports right but the hosts include several other IP's.  This is probably an easy one for somebody.  I need to create this filter and implement it by the end of the day today (about 50 min from now).  So it’s a 500 pointer.
0
Comment
Question by:chiefcrazythumb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 3

Assisted Solution

by:mahe2000
mahe2000 earned 500 total points
ID: 17983246
try this my friend...
(10.64.2.167 or host 10.64.1.28) and (tcp port 25 or port 110)
0
 
LVL 2

Author Comment

by:chiefcrazythumb
ID: 17983556
Works good... how do I add that to my command line?

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:10800 -w 515am

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 17985069
Try:
-F host 10.64.1.28 and tcp port 25 or port 110

Usage: wireshark [options] ... [ <infile> ]

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 65535)
  -p                       don't capture in promiscuous mode
  -k                       start capturing immediately (def: do nothing)
  -Q                       quit Wireshark after capturing
  -S                       update packet display when new packets are captured
  -l                       turn on automatic scrolling while -S is in use
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r <infile>              set the filename to read from (no pipes or stdin!)

Processing:
  -R <read filter>         packet filter in Wireshark display filter syntax
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"

User interface:
  -g <packet number>       go to specified packet number after "-r"
  -m <font>                set the font name used for most text
  -t ad|a|r|d              output format of time stamps (def: r: rel. to first)
  -X <key>:<value>         eXtension options, see man page for details
  -z <statistics>          show various statistics, see man page for details

Output:
  -w <outfile|->           set the output filename (or '-' for stdout)

Miscellaneous:
  -h                       display this help and exit
  -v                       display version info and exit
  -o <name>:<value> ...    override preference or recent setting
  --display=DISPLAY        X display to use
-rich
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 17986701
try:

wireshark  -f (10.64.2.167 or host 10.64.1.28) and (tcp port 25 or port 110) .......
0
 
LVL 2

Author Comment

by:chiefcrazythumb
ID: 18202226
The work mahe2000 did was great for a filter using the wireshark GUI.  I wanted to schedule wireshark to run at a later time.  I ended up using the scheduler to schedule a batch file to run.  I put the following in my batch file

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:60 -w 5am

It saved the date to a file called "5am".

I needed several of these.  Later I opened them and you can filter the data at that point.

I never was able to filter the data by command line in a batch file...  it uses a different format for that... I still don't know how to do this.  If somebody knows how to do this let me know please.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question