Wireshark
From Sysadmin
The intention of this page is not to teach how to use Wireshark or tshark or to teach how to engage in network diagnostics. Rather this page provides examples and other useful information on using these tools.
Contents |
Examples
Below are a variety of example filters. These can be used with either the wireshark or tshark commands. Eg to use these filters on interface eth1 on Linux they would be prepended by:
tshark -i eth1 <<filter>>
Eg,
tshark -i eth1 host 192.168.0.100
Filter by address only
All of these examples capture traffic on interface eth1 on Linux.
Capture all traffic to or from host 192.168.0.100:
host 192.168.0.100
Capture all traffic to or from subnet 192.168.0.0/24:
net 192.168.0.0/24
Capture all traffic from subnet 192.168.0.0/24:
src net 192.168.0.0/24
Capture all traffic to subnet 192.168.0.0/24:
dst net 192.168.0.0/24
Or
dst net 192.168.0.0 mask 255.255.255.0
Filter by port only
Capture SMTP traffic:
port 25
Capture SMTP or Submission traffic:
port 25 or port 587
Capture traffic from a range of ports (libpcap 0.9.1 or later only):
portrange 8080-8090
Capture all UDP DNS traffic:
udp port 53
Capture all UDP & TCP DNS traffic:
udp port 53 or tcp port 53
Filter by address and port
Capture all SMTP traffic to or from 192.168.0.100:
host 192.168.0.100 and port 25
Capture everything except SMTP and Submission traffic from 192.168.0.100:
host 192.168.0.100 and not port 25 and not port 587
Or
host 192.168.0.100 and not \(port 25 or port 587\)
In this last example the brackets have been escaped for use in a Unix shell.
Filter by network layer
Capture ARP traffic only:
arp
Or
ether proto 0x0806
Capture IP traffic only:
ip
Other filters
Exclude broadcast & multicast traffic:
not broadcast and not multicast
