Solved

Wireshark capture filter to isolate network traffic

Posted on 2010-09-06
7
1,135 Views
Last Modified: 2012-05-10
Could anyone please advise me what the correct Wireshark capture filter would be to monitor traffic going to and from any given network ?  I am not sure what the filter string would be.

Thanks in advance.
0
Comment
Question by:Suncore
7 Comments
 
LVL 6

Assisted Solution

by:Inderjeetjaggi
Inderjeetjaggi earned 84 total points
ID: 33614112
Check if below white paper help you:
Capturing Network Traffic With Wireshark
http://www.goldstarsoftware.com/papers/CapturingNetworkTrafficWithWireshark.pdf
0
 
LVL 4

Assisted Solution

by:cdowdy
cdowdy earned 84 total points
ID: 33614124
Check out this link for the ethanalyzer built into the nexus 7000. It shows multiple examples for building filters and since it uses the same source, the  filters are the same as in wireshark. It also has a link to the wireshark users guide on page 5 of the pdf.

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.pdf


0
 
LVL 12

Assisted Solution

by:naykam
naykam earned 83 total points
ID: 33614131
IP:     ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
          ip.src == 10.43.54.65 or ip.dst == 10.43.54.65


Port:    tcp.port eq 25 or icmp

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 14

Accepted Solution

by:
DonConsolio earned 83 total points
ID: 33614132
capture filter:

all traffic from and to net 10.11.12.0/255.255.255.0: "net 10.11.12.0/24"
all traffic going to net 10.11.12.0/255.255.255.0: "dst net 10.11.12.0/24"
all traffic coming from net 10.11.12.0/255.255.255.0: "src net 10.11.12.0/24"
0
 
LVL 24

Assisted Solution

by:rfc1180
rfc1180 earned 83 total points
ID: 33614135
filter:
ip.addr==192.168.1.0/24
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 83 total points
ID: 33614196
Wireshark actually does not capture the traffic.  The part that captures the traffic uses the same filter at tcpdump:

     http://www.cs.ucr.edu/~marios/ethereal-tcpdump.pdf

most of the filters given here that have ip.src==, ip.dst==, or ip.addr== are all Wireshark display filters, not capture filters.

A caputer filter for a network would be something like:

    ip net 10.0.0.0 mask 255.255.255.0

or

    ip net 10.0.0.0/24

would both capture all ip traffic that is to or from any host with an IP address in the range of 10.0.0.0-10.0.0.255.

Please note to use wireshark to capture traffic for more than traffic to/from your computer you need to be running the capture in a way that you see the traffic you want to capture.  Such as having a NIC on your computer connected to a mirror port.


0
 
LVL 2

Author Closing Comment

by:Suncore
ID: 33614776
Thanks all - much appriciated and just the answers I was looking for.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Is your computer hacked? learn how to detect and delete malware in your PC
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now