6

I am trying to setup a Filter (so my log files aren't massive) that will capture only incoming traffic. I have looked on http://wiki.wireshark.org/CaptureFilters but so far have been unable to find a way to do this. Does anyone know how?

Just as a side question, when logging to multiple files in Wireshark, can you view full packet information at a later time?

Aidan Knight
  • 650
  • 3
  • 11
  • 19

5 Answers5

7

you would want to only capture traffic that is destined for your host's IP:

dst host <your Ip>

Sorry, read that as display filter. the above has been corrected for CAPTURE filter syntax.

HostBits
  • 11,776
  • 1
  • 24
  • 39
  • This would be perfect except our machines have large blocks of IP's assigned to them, and the traffic could be targetted at any of these. – Aidan Knight Jan 09 '12 at 18:25
5

Your request to capture only incoming traffic leads to some ambiguity. The word incoming may has at least two different meanings in networking.

The first meaning packets received by a particular interface/device is relatively simple. The answer Jeff provides is what you want. You basically just need to filter for packets which have an IP or MAC address that matches your network interface.

There is another common usage of incoming in networking as it relates to statefull firewalls. This usually all activity traffic initiated by a remote system. If this is what you actually want. All connections initiated by a remote system, and all packets related to those connections, then I believe you are out of luck. The last time I looked PCAP had no stateful matching ability at all. So if that is what you are looking for, then I believe you are pretty much out of luck.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 1
    There may be a way, at least for TCP connections: Find packets with SYN flag, without ACK flag, with the local machine's IP address as destination. Save those and then follow the TCP stream for each of them. – Pedro Perez Feb 17 '15 at 11:16
4

Because tcpdump filters are the capture filters, and can be passed through tshark or tcpdump as well to avoid running a GUI just for capture if you're reviewing later

[tcpdump] ether dst $YOUR_MAC_ADDRESS should cover most of what you want.

[tcpdump] ether src not $YOUR_MAC_ADDRESS would be broader. You may some DHCP stuff from your machine in there as well, but it ought not be very major.

Yes, you can save packets and inspect them in the future just as in live mode.

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
  • This may be the right answer if he is defining incoming as 'received', and not like how you would define it on a stateful firewall. – Zoredache Jan 09 '12 at 17:54
  • This sounds like it will be perfect. A lot of our machines are getting hit with a DDoS thanks to a program released that takes advantage of an exploit in some game servers (turns them into ddos zombies). Thanks! – Aidan Knight Jan 09 '12 at 18:13
  • Actually one other question. I have tried both of these in the Capture Filter (GUI Application) and could get neither to work. I get an "unknown ether host" error when I use "ether dst 2F178581-F429-4AD8-AC39-CD8785651EDB" – Aidan Knight Jan 09 '12 at 18:23
  • That isn't an ethernet mac address – Zoredache Jan 09 '12 at 18:33
  • @BrettPowell On windows, use the "phsysical address" field from `ipconfig /all` – Jeff Ferland Jan 09 '12 at 19:05
  • You can also get your MAC address within Wireshark via Capture→Interfaces→Details→802.3. (Or you could just run a capture with no filter and look for packets that are obviously to or from your machine...) – Gerald Combs Jan 09 '12 at 22:58
  • Filtering on MAC address will only produce correct results as long as nodes ont he network are well-behaved. It is possible for hosts to send packets with arbitrarily chosen source and destination MAC address. So another host could send a packet to you that your filter would see as outgoing rather than incoming. I wonder if there is a filter criteria which would actually look at which direction the packet was actually send through the network interface. Sounds like it shouldn't be hard to do, but I don't know of a Wireshark feature to do it. – kasperd Jul 28 '15 at 11:19
1

You can use a capture filter with a network address instead of your machine's single IP such as "dst net 10.0.0.0/21". This would capture any packets being sent to 10.0.0.1 through 10.0.7.254.

Alternatively, you can use tshark to post-filter a capture file using -r ORIGINAL_FILE -w NEW_FILE -Y "display filters". In the display filters you would use "ip.dst==10.0.0.0/21" to get the same data set as with the capture filter above.

pierce.jason
  • 193
  • 1
  • 8
-1

Please stop this madness. It's very impractical to list the local host's mac/IP address every time you need this feature (not to mention the cases where these details can change while running the dump), and the pcap library has this facility already. You just have to use 'inbound' in the filter, and you'll only see the received packets on the interface, simple as that.