Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1163
  • Last Modified:

Wireshark capture filter to isolate network traffic

Could anyone please advise me what the correct Wireshark capture filter would be to monitor traffic going to and from any given network ?  I am not sure what the filter string would be.

Thanks in advance.
0
Suncore
Asked:
Suncore
6 Solutions
 
InderjeetjaggiCommented:
Check if below white paper help you:
Capturing Network Traffic With Wireshark
http://www.goldstarsoftware.com/papers/CapturingNetworkTrafficWithWireshark.pdf
0
 
cdowdyCommented:
Check out this link for the ethanalyzer built into the nexus 7000. It shows multiple examples for building filters and since it uses the same source, the  filters are the same as in wireshark. It also has a link to the wireshark users guide on page 5 of the pdf.

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.pdf


0
 
naykamCommented:
IP:     ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
          ip.src == 10.43.54.65 or ip.dst == 10.43.54.65


Port:    tcp.port eq 25 or icmp

0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
DonConsolioCommented:
capture filter:

all traffic from and to net 10.11.12.0/255.255.255.0: "net 10.11.12.0/24"
all traffic going to net 10.11.12.0/255.255.255.0: "dst net 10.11.12.0/24"
all traffic coming from net 10.11.12.0/255.255.255.0: "src net 10.11.12.0/24"
0
 
rfc1180Commented:
filter:
ip.addr==192.168.1.0/24
0
 
giltjrCommented:
Wireshark actually does not capture the traffic.  The part that captures the traffic uses the same filter at tcpdump:

     http://www.cs.ucr.edu/~marios/ethereal-tcpdump.pdf

most of the filters given here that have ip.src==, ip.dst==, or ip.addr== are all Wireshark display filters, not capture filters.

A caputer filter for a network would be something like:

    ip net 10.0.0.0 mask 255.255.255.0

or

    ip net 10.0.0.0/24

would both capture all ip traffic that is to or from any host with an IP address in the range of 10.0.0.0-10.0.0.255.

Please note to use wireshark to capture traffic for more than traffic to/from your computer you need to be running the capture in a way that you see the traffic you want to capture.  Such as having a NIC on your computer connected to a mirror port.


0
 
SuncoreAuthor Commented:
Thanks all - much appriciated and just the answers I was looking for.
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now