3

I'm looking for the syntax to do a capture filter on WireShark, by capturing the traffic on several (specific) IP addresses. I understand how to capture a range, and an individual IP address. However, the application I am capturing on is spread of a 'bucket' of IP addresses/servers, of which other applications are based within the same range. See my example:

  • ECommerce App Servers: 192.168.1.2, 192.168.1.3, 192.168.1.4. - This is what I want to capture on (filtered on these exact IPs) I have tried 'host 192.168.1.2 host 192.168.1.3' etc.
  • There are other applications within this range, e.g. PayRoll App is on 192.168.1.5, and I don't want to see any of this in my capture. Therefore 'net 192.168.1.0/24' to capture the whole range will not work for me.

Can anyone provide me the syntax? Is it even possible?

Derek
  • 183
  • 1
  • 2
  • 5

1 Answers1

2

I just tested

host 10.25.100.133 or host 10.25.100.1

as a capture filter in a wireshark session and it did what you ask (selected all traffic to or from either of those addresses). You can continue to add host a.b.c.d requirements, if you need to.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Forgive me for noting this, but I see you're new to the site, and this is your first question. If you're happy with this answer, you should accept it by clicking the "tick" outline you see next to it. This not only improves my reputation but makes sure that you develop a reputation as someone who accepts answers to all the questions he asks - which is just as important. – MadHatter Jun 13 '11 at 15:22
  • ..and I see you have done - thanks, and good luck on SF! – MadHatter Jun 13 '11 at 15:23