Wireshark-users: Re: [Wireshark-users] a question on capture filter

From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Mon, 24 Sep 2012 17:03:48 +0000 (UTC)
esolve esolve <esolvepolito@...> writes:

> Hi,     I want to capture packets with capture filter like:     host
138.56.169.25 and (not host 138.52.69.45) and (not ntp) and (not igmp)     so
the packets I want to capture are with 138.56.169.25 as src/dst, but without
138.52.69.45 as src/dst, and should not be ntp or igmp packets.     But the
capture results are not as expected, can anyone know where is wrong? thanks!

You might try the following filter:

(not udp port 123 and not igmp) and (ip src host 138.56.169.25 and not ip dst
host 138.52.69.45) or (ip dst host 138.56.169.25 and not ip src host 
138.52.69.45)

If you want to see what the generated BPF code is for a given filter, 
then use:

dumpcap -d -f <capture-filter>

I think it will help you see the difference between your original capture 
filter and this one.

Yours:
$ wireshark-gtk2/dumpcap.exe -i 4 -d -f "host 138.56.169.25 and (not host
138.52.69.45) and (not udp port 123) and (not igmp)"
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 20
(002) ld       [26]
(003) jeq      #0x8a38a919      jt 4    jf 6
(004) ld       [30]
(005) jeq      #0x8a34452d      jt 31   jf 10
(006) ld       [30]
(007) jeq      #0x8a38a919      jt 8    jf 31
(008) ld       [26]
(009) jeq      #0x8a34452d      jt 31   jf 10
(010) ldb      [23]
(011) jeq      #0x11            jt 12   jf 19
(012) ldh      [20]
(013) jset     #0x1fff          jt 30   jf 14
(014) ldxb     4*([14]&0xf)
(015) ldh      [x + 14]
(016) jeq      #0x7b            jt 31   jf 17
(017) ldh      [x + 16]
(018) jeq      #0x7b            jt 31   jf 30
(019) jeq      #0x2             jt 31   jf 30
(020) jeq      #0x806           jt 22   jf 21
(021) jeq      #0x8035          jt 22   jf 31
(022) ld       [28]
(023) jeq      #0x8a38a919      jt 24   jf 26
(024) ld       [38]
(025) jeq      #0x8a34452d      jt 31   jf 30
(026) ld       [38]
(027) jeq      #0x8a38a919      jt 28   jf 31
(028) ld       [28]
(029) jeq      #0x8a34452d      jt 31   jf 30
(030) ret      #65535
(031) ret      #0
Capturing on \Device\NPF_{76D7A2F9-A2AC-4961-A847-7460FF6210FC}

Mine:
$ wireshark-gtk2/dumpcap.exe -i 4 -d -f "(not udp port 123 and not igmp) and 
(ip src host 138.56.169.25 and not ip dst host 138.52.69.45) or (ip dst host
138.56.169.25 and not ip src host 138.52.69.45)"
(000) ldh      [12]
(001) jeq      #0x86dd          jt 22   jf 2
(002) jeq      #0x800           jt 3    jf 22
(003) ldb      [23]
(004) jeq      #0x11            jt 5    jf 12
(005) ldh      [20]
(006) jset     #0x1fff          jt 13   jf 7
(007) ldxb     4*([14]&0xf)
(008) ldh      [x + 14]
(009) jeq      #0x7b            jt 17   jf 10
(010) ldh      [x + 16]
(011) jeq      #0x7b            jt 17   jf 13
(012) jeq      #0x2             jt 17   jf 13
(013) ld       [26]
(014) jeq      #0x8a38a919      jt 15   jf 17
(015) ld       [30]
(016) jeq      #0x8a34452d      jt 22   jf 21
(017) ld       [30]
(018) jeq      #0x8a38a919      jt 19   jf 22
(019) ld       [26]
(020) jeq      #0x8a34452d      jt 22   jf 21
(021) ret      #65535
(022) ret      #0
Capturing on \Device\NPF_{76D7A2F9-A2AC-4961-A847-7460FF6210FC}

- Chris
Ref: http://www.wireshark.org/docs/man-pages/dumpcap.html