Wireshark-users: Re: [Wireshark-users] a question on capture filter

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 24 Sep 2012 12:32:48 -0700
On Sep 24, 2012, at 9:33 AM, esolve esolve <esolvepolito@xxxxxxxxx> wrote:

>      I want to capture packets with capture filter like:
> 
>      host 138.56.169.25 and (not host 138.52.69.45) and (not ntp) and (not igmp)
> 
>      so the packets I want to capture are with 138.56.169.25 as src/dst, but without 138.52.69.45 as src/dst, and should not be ntp or igmp packets.
> 
>      But the capture results are not as expected

Yes, the capture results are, instead, an error message saying "unknown host 'ntp'".

libpcap/WinPcap's filter syntax doesn't support directly checking for arbitrary protocols, only for some protocols; you have to check for packets going to or from the UDP port for NTP to check for NTP packets.

Try

	host 138.56.169.25 and (not host 138.52.69.45) and (not udp port ntp) and (not igmp)