With tcpdump if I want to capture all TCP connection attempts (whether successful or not) I use the following capture filter: tcp[tcpflags] & (tcp-syn) != 0 and if I want capture the start and end packetes (The SYN and FIN packets) of each TCP conversation that involves a non-local host I use: tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet How can I do these examples using Wireshark GUI (Creating capture filters)? Thanks in advance! This question is marked "community wiki". asked 08 Mar '13, 10:30  zig69 edited 08 Mar '13, 10:32 |
2 Answers:
Assuming you're running Wireshark 1.8.x, you can open the capture options and double click on the interface you want to capture on. This will open another dialog where you can specify the capture filter. On older versions, you'll see the capture filter input field right after opening the capture options dialog. answered 08 Mar '13, 10:34  Jasper ♦♦ |
localnet is not a libpcap keyword, it is looked up by your system in /etc/networks. Even though you can add an entry to /etc/networks, it does not seem to be CIDR compatible, so if you are on a network that is not classfull, you will be out of luck anyway. See also: http://www.winpcap.org/pipermail/winpcap-users/2011-November/004522.html You will have to contruct the network address for your network yourself and can then use it like this (for 192.168.1.0/25): answered 15 Mar '13, 04:57  SYN-bit ♦♦ |
Thanks for your answer, but I already knew that, is trivial! I meant how to create the filters (syntax) for doing the same thing that I do with tcpdump...
Not sure what you're aiming at, but THAT capture filter box takes tcpdump syntax... just put it in there, just as you would for tcpdump. Did you ever try? It's trivial! ;-)
Yes, It's trivial but does not work! The filter: tcp[tcpflags] & (tcp-syn) != 0 works well but when I add the expression "and not src and dst net localnet" the capture filter field appears in red color and does not work (Of course) :-(
Wireshark does not know the term localnet