• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1705
  • Last Modified:

Wireshark Filter I need this fast

Trying to make a filter to watch traffic from or to a couple different hosts that are using either port 25 or port 110 traffic.

host or host and tcp port 25 or port 110

Using this one I seem to get the ports right but the hosts include several other IP's.  This is probably an easy one for somebody.  I need to create this filter and implement it by the end of the day today (about 50 min from now).  So it’s a 500 pointer.
  • 2
  • 2
2 Solutions
try this my friend...
( or host and (tcp port 25 or port 110)
chiefcrazythumbAuthor Commented:
Works good... how do I add that to my command line?

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:10800 -w 515am

Rich RumbleSecurity SamuraiCommented:
-F host and tcp port 25 or port 110

Usage: wireshark [options] ... [ <infile> ]

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 65535)
  -p                       don't capture in promiscuous mode
  -k                       start capturing immediately (def: do nothing)
  -Q                       quit Wireshark after capturing
  -S                       update packet display when new packets are captured
  -l                       turn on automatic scrolling while -S is in use
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r <infile>              set the filename to read from (no pipes or stdin!)

  -R <read filter>         packet filter in Wireshark display filter syntax
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"

User interface:
  -g <packet number>       go to specified packet number after "-r"
  -m <font>                set the font name used for most text
  -t ad|a|r|d              output format of time stamps (def: r: rel. to first)
  -X <key>:<value>         eXtension options, see man page for details
  -z <statistics>          show various statistics, see man page for details

  -w <outfile|->           set the output filename (or '-' for stdout)

  -h                       display this help and exit
  -v                       display version info and exit
  -o <name>:<value> ...    override preference or recent setting
  --display=DISPLAY        X display to use

wireshark  -f ( or host and (tcp port 25 or port 110) .......
chiefcrazythumbAuthor Commented:
The work mahe2000 did was great for a filter using the wireshark GUI.  I wanted to schedule wireshark to run at a later time.  I ended up using the scheduler to schedule a batch file to run.  I put the following in my batch file

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:60 -w 5am

It saved the date to a file called "5am".

I needed several of these.  Later I opened them and you can filter the data at that point.

I never was able to filter the data by command line in a batch file...  it uses a different format for that... I still don't know how to do this.  If somebody knows how to do this let me know please.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now