WS 1.8.4 - I'm wondering how I can capture traffic only between two machines? I basically want the capture filter to get all tcp/ip traffic between just two machines in both directions. Then I'll use a display filter to drill deeper than that. I've tried the following commands and close variants (substituting && for and, etc.) (ip.src 10.0.0.1 and ip.dst 10.0.0.2) or (ip.dst 10.0.0.1 and ip.src 10.0.0.2) ip.addr==10.0.0.1 && ip.addr==10.0.0.2 Its seems like the syntax has changed recently with the 1.8.x versions. I used to be able to just type "src" in the display filter I thought, but that's not even listed in the reference anymore. Thanks in advance for any help! Adam EDIT: it allows appears that the syntax checker disappeared from edit -> preferences -> capture (according to the doc.) asked 01 Feb '13, 08:01  amarcionek edited 01 Feb '13, 08:05 |
2 Answers:
Ok, I'm going to answer my own question.... I think on the capture filter side, you can't use the same syntax as the display filter side? I was able to use this in the display filter and it worked: tcp and ip.addr==10.0.0.1 && ip.addr==10.0.0.2 answered 01 Feb '13, 08:24 amarcionek |
For a capture filter to only see the traffic between two machines: As you have noted capture and display filters are two different things with different syntaxes. There are many filter examples around the internet, remember tcpdump filters are capture filters for Wireshark (and TShark) purposes. answered 01 Feb '13, 08:37  grahamb ♦ |
