Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.5
71727374757677787980
Capturing Live Network Data
62
Example 4.2. Capturing all telnet traffic not from 10.0.0.5
tcp port 23 and not src host 10.0.0.5
XXX - add examples to the following list.
A primitive is simply one of the following:
[src|dst] host <host> This primitive allows you to filter on a host IP address or name.
You can optionally precede the primitive with the keyword src|
dst to specify that you are only interested in source or destination
addresses. If these are not present, packets where the specified
address appears as either the source or the destination address will
be selected.
ether [src|dst] host <ehost> This primitive allows you to filter on Ethernet host addresses. You
can optionally include the keyword src|dst between the keywords
ether and host to specify that you are only interested in source or
destination addresses. If these are not present, packets where the
specified address appears in either the source or destination address
will be selected.
gateway host <host> This primitive allows you to filter on packets that used host as a
gateway. That is, where the Ethernet source or destination was host
but neither the source nor destination IP address was host.
[src|dst] net <net> [{mask
<mask>}|{len <len>}]
This primitive allows you to filter on network numbers. You
can optionally precede this primitive with the keyword src|dst
to specify that you are only interested in a source or destination
network. If neither of these are present, packets will be selected
that have the specified network in either the source or destination
address. In addition, you can specify either the netmask or the CIDR
prefix for the network if they are different from your own.
[tcp|udp] [src|dst] port <port> This primitive allows you to filter on TCP and UDP port numbers.
You can optionally precede this primitive with the keywords src|dst
and tcp|udp which allow you to specify that you are only interested
in source or destination ports and TCP or UDP packets respectively.
The keywords tcp|udp must appear before src|dst.
If these are not specified, packets will be selected for both the TCP
and UDP protocols and when the specified address appears in either
the source or destination port field.
less|greater <length> This primitive allows you to filter on packets whose length was less
than or equal to the specified length, or greater than or equal to the
specified length, respectively.
ip|ether proto <protocol> This primitive allows you to filter on the specified protocol at either
the Ethernet layer or the IP layer.
ether|ip broadcast|multicast This primitive allows you to filter on either Ethernet or IP
broadcasts or multicasts.
<expr> relop <expr> This primitive allows you to create complex filter expressions that
select bytes or ranges of bytes in packets. Please see the tcpdump