Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Wireshark Filter I need this fast

Posted on 2006-11-20
6
1,677 Views
Last Modified: 2007-12-19
Trying to make a filter to watch traffic from or to a couple different hosts that are using either port 25 or port 110 traffic.


host 10.64.2.167 or host 10.64.1.28 and tcp port 25 or port 110

Using this one I seem to get the ports right but the hosts include several other IP's.  This is probably an easy one for somebody.  I need to create this filter and implement it by the end of the day today (about 50 min from now).  So it’s a 500 pointer.
0
Comment
Question by:chiefcrazythumb
  • 2
  • 2
6 Comments
 
LVL 3

Assisted Solution

by:mahe2000
mahe2000 earned 250 total points
ID: 17983246
try this my friend...
(10.64.2.167 or host 10.64.1.28) and (tcp port 25 or port 110)
0
 
LVL 2

Author Comment

by:chiefcrazythumb
ID: 17983556
Works good... how do I add that to my command line?

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:10800 -w 515am

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 17985069
Try:
-F host 10.64.1.28 and tcp port 25 or port 110

Usage: wireshark [options] ... [ <infile> ]

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 65535)
  -p                       don't capture in promiscuous mode
  -k                       start capturing immediately (def: do nothing)
  -Q                       quit Wireshark after capturing
  -S                       update packet display when new packets are captured
  -l                       turn on automatic scrolling while -S is in use
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r <infile>              set the filename to read from (no pipes or stdin!)

Processing:
  -R <read filter>         packet filter in Wireshark display filter syntax
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"

User interface:
  -g <packet number>       go to specified packet number after "-r"
  -m <font>                set the font name used for most text
  -t ad|a|r|d              output format of time stamps (def: r: rel. to first)
  -X <key>:<value>         eXtension options, see man page for details
  -z <statistics>          show various statistics, see man page for details

Output:
  -w <outfile|->           set the output filename (or '-' for stdout)

Miscellaneous:
  -h                       display this help and exit
  -v                       display version info and exit
  -o <name>:<value> ...    override preference or recent setting
  --display=DISPLAY        X display to use
-rich
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 17986701
try:

wireshark  -f (10.64.2.167 or host 10.64.1.28) and (tcp port 25 or port 110) .......
0
 
LVL 2

Author Comment

by:chiefcrazythumb
ID: 18202226
The work mahe2000 did was great for a filter using the wireshark GUI.  I wanted to schedule wireshark to run at a later time.  I ended up using the scheduler to schedule a batch file to run.  I put the following in my batch file

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:60 -w 5am

It saved the date to a file called "5am".

I needed several of these.  Later I opened them and you can filter the data at that point.

I never was able to filter the data by command line in a batch file...  it uses a different format for that... I still don't know how to do this.  If somebody knows how to do this let me know please.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question