Filter all packages that not use a specific port

1

I use wireshark to watch a captured pcap file. I see a lot of communication on a specific port, that I am not interessted in, so i want to filter it to see only the rest of the communication.

I used this filter rule: tcp.dstport != 1337 and tcp.srcport != 1337 to remove all tcp communication on port 1337. But as it seems this rule also removes all non TCP traffic. For example DNS requests are not shown anymore. If i change the filter to (tcp.dstport != 1337 and tcp.srcport != 1337) or ! tcp it shows all traffic except port 1337/tcp but it does not seems to be the "correct" way to do it. Is using tcp.dstport or tcp.srcport equal to filter only tcp traffic and then filtering the port?

reox

Posted 2015-01-21T12:25:42.103

Reputation: 915

Answers

1

Your filter should be:

!(tcp.port == 1337)

Explanation

There are 2 kind of filters in Wireshark:

  1. Capture filter: used when capturing traffic (duh?) and built with the Berkeley Packet Filter (BPF) syntax (check manpage of pcap-filter). libpcap is the underlying library doing the actual capture.

  2. Display filter: used to reduce the amount of traffic you see and built with a proprietary syntax (some of it overlapping with the BPF one).

Your display filter tcp.dstport != 1337 should be read as "the packet contains a field named tcp.port with a value different from 1337". As a result, packets without a tcp.port field will be filtered out.

maiki

Posted 2015-01-21T12:25:42.103

Reputation: 421

Asked: 2015-01-21T12:25:42.103

Viewed: 257 times

Active: 2015-01-21T14:39:33.707