User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.0

100

present, packets where the specified address appears in either

the source or destination address will be selected.

gateway host <host> This primitive allows you to filter on packets that used host

as a gateway. That is, where the Ethernet source or destina-

tion was host but neither the source nor destination IP address

was host.

[src|dst] net <net> [{mask

<mask>}|{len <len>}]

This primitive allows you to filter on network numbers. You

can optionally precede this primitive with the keyword

src|dst to specify that you are only interested in a source or

destination network. If neither of these are present, packets

will be selected that have the specified network in either the

source or destination address. In addition, you can specify

either the netmask or the CIDR prefix for the network if they

are different from your own.

[tcp|udp] [src|dst] port <port> This primitive allows you to filter on TCP and UDP port

numbers. You can optionally precede this primitive with the

keywords src|dst and tcp|udp which allow you to specify that

you are only interested in source or destination ports and TCP

or UDP packets respectively. The keywords tcp|udp must ap-

pear before src|dst.

If these are not specified, packets will be selected for both the

TCP and UDP protocols and when the specified address ap-

pears in either the source or destination port field.

less|greater <length> This primitive allows you to filter on packets whose length

was less than or equal to the specified length, or greater than

or equal to the specified length, respectively.

ip|ether proto <protocol> This primitive allows you to filter on the specified protocol at

either the Ethernet layer or the IP layer.

ether|ip broadcast|multicast This primitive allows you to filter on either Ethernet or IP

broadcasts or multicasts.

<expr> relop <expr> This primitive allows you to create complex filter expressions

that select bytes or ranges of bytes in packets. Please see the

tcpdump man page at http:/ / www.tcpdump.org/ tcp-

dump_man.html for more details.

4.9.1. Automatic Remote Traffic Filtering

If Wireshark is running remotely (using e.g. SSH, an exported X11 window, a terminal server, ...),

the remote content has to be transported over the network, adding a lot of (usually unimportant)

packets to the actually interesting traffic.

To avoid this, Wireshark tries to figure out if it's remotely connected (by looking at some specific

environment variables) and automatically creates a capture filter that matches aspects of the connec-

tion.

The following environment variables are analyzed:

SSH_CONNECTION (ssh) <remote IP> <remote port> <local IP> <local port>

SSH_CLIENT (ssh) <remote IP> <remote port> <local port>

REMOTEHOST (tcsh, others?) <remote name>

Capturing Live Network Data