Avatar of carbie
carbie
 asked on

setting up capture filter in wireshark

I need to setup a capture filter in wireshark with multiple source ip addresses. I need to set it up for 9 ips. I tried AND and && operator but it doesn't work. Can someone please help? I need to setup this up asap to troubleshoot a problem.

Thanks a bunch.
Network ManagementNetworking ProtocolsWindows Networking

Avatar of undefined
Last Comment
carbie

8/22/2022 - Mon
SOLUTION
DigitalTechy

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
DigitalTechy

Had a chance to check it in the latest version:  ip.host == "192.168.1.1" or ip.host == "192.168.1.2"

That should work, g'luck!
ChiefIT

You should be able to put a comma between IP addresses:

How to filter:
http://www.youtube.com/watch?v=__SR6JO6l-A
DigitalTechy

ip.src eq 192.168.1.2 or ip.src eq 192.168.1.3 or ...

== can be used instead of eq

you can use ip.src rather than ip.host if you are looking for just the source ip.

I don't know of a format that wireshark accepts comma's as ChiefIT stated but if there's a way that would be an easier shorthand, the video just shows you how to filter but doesn't use multiple ip's via a comma.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ChiefIT

Yah, I am not to certain how to apply the filter to multiple IPs either. I would think there is the option to comma delimit, or space delimit multiple IPs, You can play with the filter until it turns green with multiple IPs.

Try Colons, Commas, Spaces, Pipes |, or semicolons for delimited multiple IP addresses on that filter line.

It's a good explicit video for filtering for ports and IP addresses though.
ASKER CERTIFIED SOLUTION
hypercube

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
hypercube

I have never seen the use of a comma "," in place of AND or &&.
But, in this case it appears you want OR or ||
carbie

ASKER
Capture filter syntax are not same as display filters. Display filter also have this green go option which is good to see rightaway whether your syntax is correct.

So far on capture filter for multiple IPs, only syntax I can use is with host xxx1 or host xxx2 or host xx3. I am not sure OR will work same as AND. My understanding is if it matches host xxxx1 and at the same time host xxxx2 also connect, since there's a OR, it will capture only one. Is that corect or with OR, it should capture all IPs.
Strange thing is that ip.addr==xxx1 or ip.addr==xxx2 works with display filter but not on capture filter.

Any thoughts....  
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
DigitalTechy

Are you sure you tried:  host 192.168.1.2 or 192.168.1.3 or 192.168.1.4 I know it works, just as in the first post.  I just tried it. I have version 1.6.1.
hypercube

It looks like you need to understand AND and OR.
AND means they ALL have to appear together in the same packet.
OR means that any ONE needs to appear in a packet.

Using AND only seems very useful when you want to grab packets between two points / e.g. endpoints.
If you want to grab packets between two sets of endpoints then use:

(address1 AND address2) OR (address3 AND address4)
using proper notation of course, I just paraphrase here.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
carbie

ASKER
Rick O Shay and DigitalTechy,

If you read my comments carefully, I said "or" did work. When I said I wonder "or" and "and" would work same way, I didn't understand difference between and and or operators with capture functionality.

Fmarshall, explained it very well, and that's why "and" cannot be used for more than once for two ip or host, because the communication is always between two hosts or devices. Although it may be used for ip, protocol and any other matching word but I haven't tested it. Any way the problem is resoloved for now, so I will distribute the points.

Thanks for your help guys...
Your help has saved me hundreds of hours of internet surfing.
fblack61
carbie

ASKER
I had to do my own search quite a bit.