Hi all , I am looking for a command that i can use to filter a particular IP . For example I just want to get info about 10.82.23.343 and store in file hello.cap , how will I go about doing that from command line [linux] ? FYI I have used the commands tshark -i 2 -p -w hello.cap to capture and it works but I want to know how do i filter on a particular IP address

asked 25 Jul '12, 08:22

helloworld0722's gravatar image

helloworld0722
10779
accept rate: 0%

Kurt I also wanted to know if the capture/filter can be done on multiple files for example tshark -i 2 -p -w hello.cap hello2.cap host 10.82.23.343 is this possible ??? or is there a way to merge capture into two files ?

(25 Jul '12, 14:01) helloworld0722

You can specify the option -w serveral times, but only the last one will be used (just tested).

Why do you want to write the file two times? You can just copy it after you're done with capturing? Can you please add some more information?

BTW: The IP Address 10.82.23.343 is not going to work, unless you have your own special IP stack ;-)

(25 Jul '12, 14:13) Kurt Knochner ♦

I have serveral .cap files for which I use mergecap to combine into one file , my question is that can i use mergecap and tshark together and apply filter so that the result file only contains the filtered IP ?

(26 Jul '12, 06:21) helloworld0722

You can do that with tshark, after you merged the files.

tshark -r input.cap -w output.cap -R "ip.addr == 10.82.23.x"

HINT: -R requires Display Filters!

(26 Jul '12, 08:57) Kurt Knochner ♦

yes I got that to work , but what if I want to filter out multiple IPs ?

(26 Jul '12, 09:08) helloworld0722

just specify them:

tshark -r input.cap -w output.cap -R "ip.addr == 10.82.23.x or ip.addr == 1.2.3.4 or ip.addr == 2.3.4.5"

(26 Jul '12, 09:13) Kurt Knochner ♦
showing 5 of 6 show 1 more comments

Please try this.

tshark -i 2 -p -w hello.cap host 10.82.23.x43

host x.x.x.x will filter only traffic from and to that IP address.

Please read the wiki for a more complete list of capture filters:

http://wiki.wireshark.org/CaptureFilters

Regards
Kurt

link

answered 25 Jul '12, 08:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
17.0k732168
accept rate: 15%

edited 25 Jul '12, 14:13

thanks it works !!

(25 Jul '12, 08:43) helloworld0722
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×167
×100

Asked: 25 Jul '12, 08:22

Seen: 7,988 times

Last updated: 26 Jul '12, 09:13

powered by OSQA