Solved

Wireshark Filter I need this fast

Posted on 2006-11-20
6
1,686 Views
Last Modified: 2007-12-19
Trying to make a filter to watch traffic from or to a couple different hosts that are using either port 25 or port 110 traffic.


host 10.64.2.167 or host 10.64.1.28 and tcp port 25 or port 110

Using this one I seem to get the ports right but the hosts include several other IP's.  This is probably an easy one for somebody.  I need to create this filter and implement it by the end of the day today (about 50 min from now).  So it’s a 500 pointer.
0
Comment
Question by:chiefcrazythumb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 3

Assisted Solution

by:mahe2000
mahe2000 earned 250 total points
ID: 17983246
try this my friend...
(10.64.2.167 or host 10.64.1.28) and (tcp port 25 or port 110)
0
 
LVL 2

Author Comment

by:chiefcrazythumb
ID: 17983556
Works good... how do I add that to my command line?

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:10800 -w 515am

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 17985069
Try:
-F host 10.64.1.28 and tcp port 25 or port 110

Usage: wireshark [options] ... [ <infile> ]

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 65535)
  -p                       don't capture in promiscuous mode
  -k                       start capturing immediately (def: do nothing)
  -Q                       quit Wireshark after capturing
  -S                       update packet display when new packets are captured
  -l                       turn on automatic scrolling while -S is in use
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r <infile>              set the filename to read from (no pipes or stdin!)

Processing:
  -R <read filter>         packet filter in Wireshark display filter syntax
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"

User interface:
  -g <packet number>       go to specified packet number after "-r"
  -m <font>                set the font name used for most text
  -t ad|a|r|d              output format of time stamps (def: r: rel. to first)
  -X <key>:<value>         eXtension options, see man page for details
  -z <statistics>          show various statistics, see man page for details

Output:
  -w <outfile|->           set the output filename (or '-' for stdout)

Miscellaneous:
  -h                       display this help and exit
  -v                       display version info and exit
  -o <name>:<value> ...    override preference or recent setting
  --display=DISPLAY        X display to use
-rich
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 17986701
try:

wireshark  -f (10.64.2.167 or host 10.64.1.28) and (tcp port 25 or port 110) .......
0
 
LVL 2

Author Comment

by:chiefcrazythumb
ID: 18202226
The work mahe2000 did was great for a filter using the wireshark GUI.  I wanted to schedule wireshark to run at a later time.  I ended up using the scheduler to schedule a batch file to run.  I put the following in my batch file

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:60 -w 5am

It saved the date to a file called "5am".

I needed several of these.  Later I opened them and you can filter the data at that point.

I never was able to filter the data by command line in a batch file...  it uses a different format for that... I still don't know how to do this.  If somebody knows how to do this let me know please.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
FSRREMOS 7 117
Check Spoof email 6 71
How do I restrict certain programs? 9 78
How can i protect my data from ransomware 12 111
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question