Wireshark Filtering

Greetings,

I need help creating a filter to display only the non-local traffic that is communicating to a host. Basically I have a host on 192.168.70.100/24 and captured all the traffic coming to and from it. Now I want to filter that traffic to only show me the traffic that is not local to the 192.168.70.100/24 network.

Specifically I would like to see what the host at 192.168.70.100/24 is talking to that is not on the LAN. I don’t care so much about the general non LAN traffic that is inbound, but rather I want to know what the host is establishing or trying to establish communication with outside of the LAN.
Robert AdvancedideaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan CraciunIT ConsultantCommented:
Can you filter on the router MAC address? Local packets will go to the local MAC's, the rest will have to pass through the router and will have the router's MAC as destination.
0
pjwallisCommented:
Hi,

You could have a look at the following for info on filters, the last bit would be worth reading as it shows a common trap in using filters. http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html

and maybe this which is a tutorial at http://openmaniak.com/wireshark_filters.php 

I remember once using a xl spreadsheet to wade through a very large number of captured packets identifying one then deleting all matching ones till I had the ones I really wanted.

Let me know how it goes.

pjwallis
0
Dan CraciunIT ConsultantCommented:
To continue on my idea: search for a packet that goes outside the LAN, expand the "Ethernet II" part, right click on the "destination" field (your router's physical address) and select "Apply as filter->Selected". The resulting filter should be something like:
eth.dst == aa:bb:cc:dd:ee:ff

Open in new window

0
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Fred MarshallPrincipalCommented:
So, as I understand it:
- You want outgoing traffic from 192.168.70.100 that is not on the same subnet (192.168.0/24)
And you want to see this using a Display filter.

I tried:
ip.dst!=192.168.13.0/24
it seems to work for this application.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dan CraciunIT ConsultantCommented:
Tried fmarshall's filter on a quick capture and seems to yield the same results as my idea, with the benefit that his solution is quicker to implement :)

One quick point: according to the manual the != filter should be written as
!(ip.dst==192.168.70.0/24)

Open in new window

0
Robert AdvancedideaAuthor Commented:
Thank you! the !(ip.dst==192.168.70.0/24) seems to do the trick, but it left me a with a bunch of broadcast traffic as well as the actual traffic I wanedt to see. So I used the following "(!(ip.dst==192.168.70.0/24) and !(eth.dst==ff:ff:ff:ff:ff:ff))" and this left me with just the traffic I wanted to see -- you guys are GREAT!

now -- how can I save a new pcap file with just the filtered results? When I use save as, i get the entire capture again.

Best!
0
Dan CraciunIT ConsultantCommented:
File->Export Specified Packets...
0
Robert AdvancedideaAuthor Commented:
DanCrachun,

I don't have that option. I have:

 File > Export > File (This option exports to text and csv ect)
and
 File > Export > Selected Packet Bytes (this is greyed out)
and  
File > Export > Object > HTTP and DICOM

Thanks for your help.
0
Dan CraciunIT ConsultantCommented:
What version of Wireshark are you using?

This is the "File" menu from the latest version.
wireshark file menu
0
Robert AdvancedideaAuthor Commented:
I am using Version 1.4.6 (SVN Rev 36706 from /trunk-1.4

I'll see if there is a newer version to replace mine  because I do not have these options.

Thank you for the screen cap
0
Robert AdvancedideaAuthor Commented:
Thank you Experts -- saved me a lot of trial and error!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.