Solved

Wireshark capture filter to isolate network traffic

Posted on 2010-09-06
7
1,145 Views
Last Modified: 2012-05-10
Could anyone please advise me what the correct Wireshark capture filter would be to monitor traffic going to and from any given network ?  I am not sure what the filter string would be.

Thanks in advance.
0
Comment
Question by:Suncore
7 Comments
 
LVL 6

Assisted Solution

by:Inderjeetjaggi
Inderjeetjaggi earned 84 total points
ID: 33614112
Check if below white paper help you:
Capturing Network Traffic With Wireshark
http://www.goldstarsoftware.com/papers/CapturingNetworkTrafficWithWireshark.pdf
0
 
LVL 4

Assisted Solution

by:cdowdy
cdowdy earned 84 total points
ID: 33614124
Check out this link for the ethanalyzer built into the nexus 7000. It shows multiple examples for building filters and since it uses the same source, the  filters are the same as in wireshark. It also has a link to the wireshark users guide on page 5 of the pdf.

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.pdf


0
 
LVL 12

Assisted Solution

by:naykam
naykam earned 83 total points
ID: 33614131
IP:     ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
          ip.src == 10.43.54.65 or ip.dst == 10.43.54.65


Port:    tcp.port eq 25 or icmp

0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 
LVL 15

Accepted Solution

by:
DonConsolio earned 83 total points
ID: 33614132
capture filter:

all traffic from and to net 10.11.12.0/255.255.255.0: "net 10.11.12.0/24"
all traffic going to net 10.11.12.0/255.255.255.0: "dst net 10.11.12.0/24"
all traffic coming from net 10.11.12.0/255.255.255.0: "src net 10.11.12.0/24"
0
 
LVL 24

Assisted Solution

by:rfc1180
rfc1180 earned 83 total points
ID: 33614135
filter:
ip.addr==192.168.1.0/24
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 83 total points
ID: 33614196
Wireshark actually does not capture the traffic.  The part that captures the traffic uses the same filter at tcpdump:

     http://www.cs.ucr.edu/~marios/ethereal-tcpdump.pdf

most of the filters given here that have ip.src==, ip.dst==, or ip.addr== are all Wireshark display filters, not capture filters.

A caputer filter for a network would be something like:

    ip net 10.0.0.0 mask 255.255.255.0

or

    ip net 10.0.0.0/24

would both capture all ip traffic that is to or from any host with an IP address in the range of 10.0.0.0-10.0.0.255.

Please note to use wireshark to capture traffic for more than traffic to/from your computer you need to be running the capture in a way that you see the traffic you want to capture.  Such as having a NIC on your computer connected to a mirror port.


0
 
LVL 2

Author Closing Comment

by:Suncore
ID: 33614776
Thanks all - much appriciated and just the answers I was looking for.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your computer hacked? learn how to detect and delete malware in your PC
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question