Solved

Wireshark capture filter to isolate network traffic

Posted on 2010-09-06
7
1,152 Views
Last Modified: 2012-05-10
Could anyone please advise me what the correct Wireshark capture filter would be to monitor traffic going to and from any given network ?  I am not sure what the filter string would be.

Thanks in advance.
0
Comment
Question by:Suncore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Assisted Solution

by:Inderjeetjaggi
Inderjeetjaggi earned 84 total points
ID: 33614112
Check if below white paper help you:
Capturing Network Traffic With Wireshark
http://www.goldstarsoftware.com/papers/CapturingNetworkTrafficWithWireshark.pdf
0
 
LVL 4

Assisted Solution

by:cdowdy
cdowdy earned 84 total points
ID: 33614124
Check out this link for the ethanalyzer built into the nexus 7000. It shows multiple examples for building filters and since it uses the same source, the  filters are the same as in wireshark. It also has a link to the wireshark users guide on page 5 of the pdf.

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.pdf


0
 
LVL 12

Assisted Solution

by:naykam
naykam earned 83 total points
ID: 33614131
IP:     ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
          ip.src == 10.43.54.65 or ip.dst == 10.43.54.65


Port:    tcp.port eq 25 or icmp

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 15

Accepted Solution

by:
DonConsolio earned 83 total points
ID: 33614132
capture filter:

all traffic from and to net 10.11.12.0/255.255.255.0: "net 10.11.12.0/24"
all traffic going to net 10.11.12.0/255.255.255.0: "dst net 10.11.12.0/24"
all traffic coming from net 10.11.12.0/255.255.255.0: "src net 10.11.12.0/24"
0
 
LVL 24

Assisted Solution

by:rfc1180
rfc1180 earned 83 total points
ID: 33614135
filter:
ip.addr==192.168.1.0/24
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 83 total points
ID: 33614196
Wireshark actually does not capture the traffic.  The part that captures the traffic uses the same filter at tcpdump:

     http://www.cs.ucr.edu/~marios/ethereal-tcpdump.pdf

most of the filters given here that have ip.src==, ip.dst==, or ip.addr== are all Wireshark display filters, not capture filters.

A caputer filter for a network would be something like:

    ip net 10.0.0.0 mask 255.255.255.0

or

    ip net 10.0.0.0/24

would both capture all ip traffic that is to or from any host with an IP address in the range of 10.0.0.0-10.0.0.255.

Please note to use wireshark to capture traffic for more than traffic to/from your computer you need to be running the capture in a way that you see the traffic you want to capture.  Such as having a NIC on your computer connected to a mirror port.


0
 
LVL 2

Author Closing Comment

by:Suncore
ID: 33614776
Thanks all - much appriciated and just the answers I was looking for.
0

Featured Post

Database Solutions Engineer FAQs

In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller single-server environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question