setting up capture filter in wireshark

carbie
carbie used Ask the Experts™
on
I need to setup a capture filter in wireshark with multiple source ip addresses. I need to set it up for 9 ips. I tried AND and && operator but it doesn't work. Can someone please help? I need to setup this up asap to troubleshoot a problem.

Thanks a bunch.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4

Or even shorter:

host 192.168.1.2 or 192.168.1.3 or 192.168.1.4

If you want to capture a whole subnet, but one IP, you can use:

net 192.168.1.0/24 and not host 192.168.1.5

Hope this helps!
Had a chance to check it in the latest version:  ip.host == "192.168.1.1" or ip.host == "192.168.1.2"

That should work, g'luck!

Commented:
You should be able to put a comma between IP addresses:

How to filter:
http://www.youtube.com/watch?v=__SR6JO6l-A
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

ip.src eq 192.168.1.2 or ip.src eq 192.168.1.3 or ...

== can be used instead of eq

you can use ip.src rather than ip.host if you are looking for just the source ip.

I don't know of a format that wireshark accepts comma's as ChiefIT stated but if there's a way that would be an easier shorthand, the video just shows you how to filter but doesn't use multiple ip's via a comma.

Commented:
Yah, I am not to certain how to apply the filter to multiple IPs either. I would think there is the option to comma delimit, or space delimit multiple IPs, You can play with the filter until it turns green with multiple IPs.

Try Colons, Commas, Spaces, Pipes |, or semicolons for delimited multiple IP addresses on that filter line.

It's a good explicit video for filtering for ports and IP addresses though.
http://wiki.wireshark.org/CaptureFilters  may help.
and http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html

Of course, you know that capture filters and display filters use *different* notation, eh?  So, you have to stick with the capture filter notation.

and on: http://openmaniak.com/wireshark_filters.php

"The capture filter syntax is the same as the one used by programs using the Lipcap (Linux) or Winpcap (Windows) library like the famous TCPdump. The capture filter must be set before launching the Wiershark capture."

And I found a set of PCAP language rules at:

http://yuba.stanford.edu/~casado/pcap/section3.html

This looks like what one might need.

I have never seen the use of a comma "," in place of AND or &&.
But, in this case it appears you want OR or ||

Author

Commented:
Capture filter syntax are not same as display filters. Display filter also have this green go option which is good to see rightaway whether your syntax is correct.

So far on capture filter for multiple IPs, only syntax I can use is with host xxx1 or host xxx2 or host xx3. I am not sure OR will work same as AND. My understanding is if it matches host xxxx1 and at the same time host xxxx2 also connect, since there's a OR, it will capture only one. Is that corect or with OR, it should capture all IPs.
Strange thing is that ip.addr==xxx1 or ip.addr==xxx2 works with display filter but not on capture filter.

Any thoughts....  
Are you sure you tried:  host 192.168.1.2 or 192.168.1.3 or 192.168.1.4 I know it works, just as in the first post.  I just tried it. I have version 1.6.1.
It looks like you need to understand AND and OR.
AND means they ALL have to appear together in the same packet.
OR means that any ONE needs to appear in a packet.

Using AND only seems very useful when you want to grab packets between two points / e.g. endpoints.
If you want to grab packets between two sets of endpoints then use:

(address1 AND address2) OR (address3 AND address4)
using proper notation of course, I just paraphrase here.
Using the syntax:

host 192.168.6.2 or 192.168.6.1

in the capture filter works just fine and in the latest Wireshark rev it shows green if the syntax is correct or red if incorrect like the display filter always has.

Author

Commented:
Rick O Shay and DigitalTechy,

If you read my comments carefully, I said "or" did work. When I said I wonder "or" and "and" would work same way, I didn't understand difference between and and or operators with capture functionality.

Fmarshall, explained it very well, and that's why "and" cannot be used for more than once for two ip or host, because the communication is always between two hosts or devices. Although it may be used for ip, protocol and any other matching word but I haven't tested it. Any way the problem is resoloved for now, so I will distribute the points.

Thanks for your help guys...

Author

Commented:
I had to do my own search quite a bit.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial