Solved

Wireshark Filter I need this fast

Posted on 2006-11-20
6
1,673 Views
Last Modified: 2007-12-19
Trying to make a filter to watch traffic from or to a couple different hosts that are using either port 25 or port 110 traffic.


host 10.64.2.167 or host 10.64.1.28 and tcp port 25 or port 110

Using this one I seem to get the ports right but the hosts include several other IP's.  This is probably an easy one for somebody.  I need to create this filter and implement it by the end of the day today (about 50 min from now).  So it’s a 500 pointer.
0
Comment
Question by:chiefcrazythumb
  • 2
  • 2
6 Comments
 
LVL 3

Assisted Solution

by:mahe2000
mahe2000 earned 250 total points
ID: 17983246
try this my friend...
(10.64.2.167 or host 10.64.1.28) and (tcp port 25 or port 110)
0
 
LVL 2

Author Comment

by:chiefcrazythumb
ID: 17983556
Works good... how do I add that to my command line?

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:10800 -w 515am

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 17985069
Try:
-F host 10.64.1.28 and tcp port 25 or port 110

Usage: wireshark [options] ... [ <infile> ]

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 65535)
  -p                       don't capture in promiscuous mode
  -k                       start capturing immediately (def: do nothing)
  -Q                       quit Wireshark after capturing
  -S                       update packet display when new packets are captured
  -l                       turn on automatic scrolling while -S is in use
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r <infile>              set the filename to read from (no pipes or stdin!)

Processing:
  -R <read filter>         packet filter in Wireshark display filter syntax
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"

User interface:
  -g <packet number>       go to specified packet number after "-r"
  -m <font>                set the font name used for most text
  -t ad|a|r|d              output format of time stamps (def: r: rel. to first)
  -X <key>:<value>         eXtension options, see man page for details
  -z <statistics>          show various statistics, see man page for details

Output:
  -w <outfile|->           set the output filename (or '-' for stdout)

Miscellaneous:
  -h                       display this help and exit
  -v                       display version info and exit
  -o <name>:<value> ...    override preference or recent setting
  --display=DISPLAY        X display to use
-rich
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 17986701
try:

wireshark  -f (10.64.2.167 or host 10.64.1.28) and (tcp port 25 or port 110) .......
0
 
LVL 2

Author Comment

by:chiefcrazythumb
ID: 18202226
The work mahe2000 did was great for a filter using the wireshark GUI.  I wanted to schedule wireshark to run at a later time.  I ended up using the scheduler to schedule a batch file to run.  I put the following in my batch file

d:\sniffer\wireshark\wireshark -i \Device\NPF_{A4FAF1A6-32A5-4012-AC8A-45E320E7E759} -k -a duration:60 -w 5am

It saved the date to a file called "5am".

I needed several of these.  Later I opened them and you can filter the data at that point.

I never was able to filter the data by command line in a batch file...  it uses a different format for that... I still don't know how to do this.  If somebody knows how to do this let me know please.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question