Wireshark-users: Re: [Wireshark-users] a question on capture filter

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Mon, 24 Sep 2012 17:08:47 +0000 (UTC)
Christopher Maynard <Christopher.Maynard@...> writes:
> You might try the following filter:
> 
> (not udp port 123 and not igmp) and (ip src host 138.56.169.25 and not ip dst
> host 138.52.69.45) or (ip dst host 138.56.169.25 and not ip src host 
> 138.52.69.45)

Make that:

(not udp port 123 and not igmp) and ((ip src host 138.56.169.25 and not ip dst
host 138.52.69.45) or (ip dst host 138.56.169.25 and not ip src host 
138.52.69.45))

BPF:
$ wireshark-gtk2/dumpcap.exe -i 4 -d -f "(not udp port 123 and not igmp) and
((ip src host 138.56.169.25 and not ip dst host 138.52.69.45) or (ip dst host
138.56.169.25 and not ip src host 138.52.69.45))"
(000) ldh      [12]
(001) jeq      #0x86dd          jt 22   jf 2
(002) jeq      #0x800           jt 3    jf 22
(003) ldb      [23]
(004) jeq      #0x11            jt 5    jf 12
(005) ldh      [20]
(006) jset     #0x1fff          jt 13   jf 7
(007) ldxb     4*([14]&0xf)
(008) ldh      [x + 14]
(009) jeq      #0x7b            jt 22   jf 10
(010) ldh      [x + 16]
(011) jeq      #0x7b            jt 22   jf 13
(012) jeq      #0x2             jt 22   jf 13
(013) ld       [26]
(014) jeq      #0x8a38a919      jt 15   jf 17
(015) ld       [30]
(016) jeq      #0x8a34452d      jt 22   jf 21
(017) ld       [30]
(018) jeq      #0x8a38a919      jt 19   jf 22
(019) ld       [26]
(020) jeq      #0x8a34452d      jt 22   jf 21
(021) ret      #65535
(022) ret      #0
Capturing on \Device\NPF_{76D7A2F9-A2AC-4961-A847-7460FF6210FC}