This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter for multiple host combination

0

I need a capture filter like the one mentioned below: /usr/sbin/tshark -i any (host IP1 or host IP2 or host IP3 and (host IP4 or host IP5)) and (udp or sctp) -w "file.pcap"

In nutshell, I want udp and sctp packets that are sent from/to IP1 or IP2 and between IP3-IP4 and IP3-IP5.

Now problem is the way tshark processes these filters. I am not being able to get the capture.

Please suggest and help !

asked 28 Nov '12, 06:52

Rajat's gravatar image

Rajat
1444
accept rate: 0%

edited 28 Nov '12, 09:23

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

0

The 'correct' filter (but not necessarily the best/fastest filter), would be:

tshark -ni any '((host 10.0.0.1 or host 10.0.0.2) and (udp or sctp)) or (host 10.0.0.3 and host 10.0.0.4 and (udp or sctp)) or (host 10.0.0.3 and host 10.0.0.5 and (udp or sctp))'

where:

IP1 == 10.0.0.1
IP2 == 10.0.0.2
IP3 == 10.0.0.3

etc.

Regards
Kurt

answered 28 Nov '12, 07:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 29 Nov '12, 04:33

Hi, this filter works fine on Windows but fails on linux. I am using Wireshark:1.6.3 on both. Seems in linux "(" is not accepted. Can you please help?

(29 Nov '12, 02:49) Rajat

The error in linux is: -bash: syntax error near unexpected token `('

Same command on Windows works.. But fails on linux.

(29 Nov '12, 02:50) Rajat

Try using double quotes

(29 Nov '12, 03:12) grahamb ♦

there was an error. Imbalance of opening/closing braces (copy-paste error). Please try the updated filter.

(29 Nov '12, 04:33) Kurt Knochner ♦

Interesting that the borked version worked on Windows but not on Linux

(29 Nov '12, 05:52) grahamb ♦

It does not.

Fault filter:

tshark -ni 2 '(host 10.0.0.1 or host 10.0.0.2 and (udp or sctp)) or (host 10.0.0.3 and host 10.0.0.4 and (udp or sctp)) or ((host 10.0.0.3 and host 10.0.0.5 and (udp or sctp))'

I get this error: tshark: Invalid capture filter

So, I don't know what filter @Rajat actually usesd.

(29 Nov '12, 05:57) Kurt Knochner ♦
showing 5 of 6 show 1 more comments