Wireshark-users: Re: [Wireshark-users] question re: problem similar to display

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 11 May 2007 15:22:11 -0700

On May 11, 2007, at 3:06 PM, Karen Isaacson wrote:

ip.addr == 192.168.155.12 is the string I have used to get what I am
looking for, along with what is needed to filter out everything but port
80 traffic.  What I get back is all traffic for 192.168.155.12, and
192.168.155.120, and 192.168.155.121, etc. on port 80.

What do you mean by "traffic *for* XXX.XXX.XXX.XXX"?

"ip.addr == 192.168.155.12" means "match all packets that have an 'ip.addr' field with the value 192.168.155.12". IP packets normally have two "ip.addr" fields, one with the value of the source address, and one with the value of the destination address, so "ip.addr == 192.168.155.12" will match all packets that are sent *to* 192.168.155.12 *AND* all packets that are sent *from* 192.168.155.12.

I.e., a packet sent from 192.168.155.12 to 192.168.155.120 will be matched by "ip.addr == 192.168.155.12"; it's supposed to be matched by that filter. Similarly, a packet sent from 192.168.155.12 to 192.168.155.12 will also match, as will a packet sent from 192.168.155.121 to 192.168.155.12 or sent from 192.168.155.12 to 192.168.155.121.

If by "traffic for XXX.XXX.XXX.XXX" you mean "traffic sent *to* XXX.XXX.XXX.XXX", you want "ip.dst == XXX.XXX.XXX.XXX". However, that will get you only half of the traffic involving XXX.XXX.XXX.XXX - you won't see any of the replies from XXX.XXX.XXX.XXX.

I have seen syntax like (ip.addr == 192.168.155.12 or ip.addr ==
192.168.155.11) work so I wonder if I need to add parentheses.

Where would you add parentheses to "ip.addr == 192.168.155.12"?