CaptureFilters

An overview of the capture filter syntax can be found in the User's Guide. A complete reference can be found in the expression section of the tcpdump manual page.

Wireshark uses the same syntax for capture filters as tcpdump, WinDump, Analyzer, and any other program that uses the libpcap/WinPcap library.

If you need a capture filter for a specific protocol, have a look for it at the ProtocolReference.

Examples

Capture only traffic to or from IP address 172.18.5.4:

Capture traffic to or from a range of IP addresses:

or

Capture traffic from a range of IP addresses:

or

Capture traffic to a range of IP addresses:

or

Capture only DNS (port 53) traffic:

Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):

Capture except all ARP and DNS traffic:

Capture traffic within a range of ports

or, with newer versions of libpcap (0.9.1 and later):

Capture only Ethernet type EAPOL:

Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group:

Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:

Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:

Capture IPv6 "all nodes" (router and neighbor advertisement) traffic. Can be used to find rogue RAs:

Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list.

Useful Filters

Blaster and Welchia are RPC worms. (Does anyone have better links, i.e. ones that describe or show the actual payload?)

Blaster worm:

Welchia worm:

Many worms try to spread by contacting other hosts on ports 135, 445, or 1433. This filter is independent of the specific worm instead it looks for SYN packets originating from a local network on those specific ports. Please change the network filter to reflect your own network.

dst port 135 or dst port 445 or dst port 1433  and tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) = 0 and src net 192.168.0.0/24

Default Capture Filters

Wireshark tries to determine if it's running remotely (e.g. via SSH or Remote Desktop), and if so sets a default capture filter that should block out the remote session traffic. It does this by checking environment variables in the following order:

Environment Variable

Resultant Filter

SSH_CONNECTION

not (tcp port srcport and addr_family host srchost and tcp port dstport and addr_family host dsthost)

SSH_CLIENT

not (tcp port srcport and addr_family host srchost and tcp port dstport)

REMOTEHOST

not addr_family host host

DISPLAY

not addr_family host host

CLIENTNAME

not tcp port 3389

(addr_family will either be "ip" or "ip6")

Further Information

See Also

DisplayFilters: more info on filters while displaying, not while capturing

The String-Matching Capture Filter Generator

Discussion

BTW, the Symantec page says that Blaster probes 135/tcp, 4444/tcp, and 69/udp. Would

Q: What is a good filter for just capturing SIP and RTP packets?

A: On most systems, for SIP traffic to the standard SIP port 5060,

should capture TCP traffic to and from that port,

should capture UDP traffic to and from that port, and

should capture both TCP and UDP traffic to and from that port (if one of those filters gets "parse error", try using 5060 instead of sip). For SIP traffic to and from other ports, use that port number rather than sip.

In most cases RTP port numbers are dynamically assigned. You can use something like the following which limits the capture to UDP, even source and destination ports, a valid RTP version, and small packets. It will capture any non-RTP traffic that happens to match the filter (such as DNS) but it will capture all RTP packets in many environments.

Capture WLAN traffic without Beacons:

Capture all traffic originating (source) in the IP range 192.168.XXX.XXX:

Capture PPPoE traffic:

Capture VLAN traffic:


CaptureFilters (last edited 2013-07-09 22:44:02 by MikeHorn)