• CaptureFilters

CaptureFilters

An overview of the capture filter syntax can be found in the User's Guide. A complete reference can be found in the expression section of the tcpdump manual page.

Wireshark uses the same syntax for capture filters as tcpdump, WinDump, Analyzer, and any other program that uses the libpcap/WinPcap library.

If you need a capture filter for a specific protocol, have a look for it at the ProtocolReference.

Examples

Capture only traffic to or from IP address 172.18.5.4:

• host 172.18.5.4 

Capture only DNS (port 53) traffic:

• port 53 

Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):

• host www.example.com and not (port 80 or port 25) 

  host www.example.com and not port 80 and not port 25 

Capture except all ARP and DNS traffic:

• port not 53 and not arp 

Capture traffic within a range of ports

• (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)

or, with newer versions of libpcap (0.9.1 and later):

• tcp portrange 1501-1549

Capture only Ethernet type EAPOL:

• ether proto 0x888e 

Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:

• ip

Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:

• not broadcast and not multicast 

Useful Filters

Blaster and Welchia are RPC worms. (Does anyone have better links, i.e. ones that describe or show the actual payload?)

Blaster worm:

• dst port 135 and tcp port 135 and ip[2:2]==48 

Welchia worm:

• icmp[icmptype]==icmp-echo and ip[2:2]==92 and icmp[8:4]==0xAAAAAAAA 

  The filter looks for an icmp echo request that is 92 bytes long and has an icmp payload that begins with 4 bytes of A's (hex). It is the signature of the welchia worm just before it tries to compromise a system.

Many worms try to spread by contacting other hosts on ports 135, 445, or 1433. This filter is independent of the specific worm instead it looks for SYN packets originating from a local network on those specific ports. Please change the network filter to reflect your own network.

dst port 135 or dst port 445 or dst port 1433  and tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) = 0 and src net 192.168.0.0/24

Default Capture Filters

Wireshark tries to determine if it's running remotely (e.g. via SSH or Remote Desktop), and if so sets a default capture filter that should block out the remote session traffic. It does this by checking environment variables in the following order:

(addr_family will either be "ip" or "ip6")

Further Information

• Filtering while capturing from the Wireshark User's Guide The tcpdump man page includes a comprehensive capture filter reference The Mike Horn Tutorial gives a good introduction to capture filters

See Also

DisplayFilters: more info on filters while displaying, not while capturing

Discussion

BTW, the Symantec page says that Blaster probes 135/tcp, 4444/tcp, and 69/udp. Would

 (tcp dst port 135 or tcp dst port 4444 or udp dst port 69) and ip[2:2]==48 

• be a better filter? - Gerald Combs

Q: What is a good filter for just capturing SIP and RTP packets?

A: On most systems, for SIP traffic to the standard SIP port 5060,

tcp port sip

should capture TCP traffic to and from that port,

udp port sip

should capture UDP traffic to and from that port, and

port sip

should capture both TCP and UDP traffic to and from that port (if one of those filters gets "parse error", try using 5060 instead of sip). For SIP traffic to and from other ports, use that port number rather than sip.

For RTP packets, you would have to determine one of the port numbers that would be used, and specify that port number.

link[0] != 0x80

capture WLAN traffic without Beacons

src net 192.168

Capture all traffic originating (source) in the IP range 192.168.XXX.XXX

CategoryHowTo