Solved

Wireshark capture filter to isolate network traffic

Posted on 2010-09-06
7
1,149 Views
Last Modified: 2012-05-10
Could anyone please advise me what the correct Wireshark capture filter would be to monitor traffic going to and from any given network ?  I am not sure what the filter string would be.

Thanks in advance.
0
Comment
Question by:Suncore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Assisted Solution

by:Inderjeetjaggi
Inderjeetjaggi earned 84 total points
ID: 33614112
Check if below white paper help you:
Capturing Network Traffic With Wireshark
http://www.goldstarsoftware.com/papers/CapturingNetworkTrafficWithWireshark.pdf
0
 
LVL 4

Assisted Solution

by:cdowdy
cdowdy earned 84 total points
ID: 33614124
Check out this link for the ethanalyzer built into the nexus 7000. It shows multiple examples for building filters and since it uses the same source, the  filters are the same as in wireshark. It also has a link to the wireshark users guide on page 5 of the pdf.

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.pdf


0
 
LVL 12

Assisted Solution

by:naykam
naykam earned 83 total points
ID: 33614131
IP:     ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
          ip.src == 10.43.54.65 or ip.dst == 10.43.54.65


Port:    tcp.port eq 25 or icmp

0
Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

 
LVL 15

Accepted Solution

by:
DonConsolio earned 83 total points
ID: 33614132
capture filter:

all traffic from and to net 10.11.12.0/255.255.255.0: "net 10.11.12.0/24"
all traffic going to net 10.11.12.0/255.255.255.0: "dst net 10.11.12.0/24"
all traffic coming from net 10.11.12.0/255.255.255.0: "src net 10.11.12.0/24"
0
 
LVL 24

Assisted Solution

by:rfc1180
rfc1180 earned 83 total points
ID: 33614135
filter:
ip.addr==192.168.1.0/24
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 83 total points
ID: 33614196
Wireshark actually does not capture the traffic.  The part that captures the traffic uses the same filter at tcpdump:

     http://www.cs.ucr.edu/~marios/ethereal-tcpdump.pdf

most of the filters given here that have ip.src==, ip.dst==, or ip.addr== are all Wireshark display filters, not capture filters.

A caputer filter for a network would be something like:

    ip net 10.0.0.0 mask 255.255.255.0

or

    ip net 10.0.0.0/24

would both capture all ip traffic that is to or from any host with an IP address in the range of 10.0.0.0-10.0.0.255.

Please note to use wireshark to capture traffic for more than traffic to/from your computer you need to be running the capture in a way that you see the traffic you want to capture.  Such as having a NIC on your computer connected to a mirror port.


0
 
LVL 2

Author Closing Comment

by:Suncore
ID: 33614776
Thanks all - much appriciated and just the answers I was looking for.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question