Ask Your Question
0

ip host host.example.com

asked 2021-07-06 07:03:05 +0000

nantix gravatar image

updated 2021-07-06 12:37:29 +0000

Jaap gravatar image

Hi, I'm trying to set up a filter that only captures traffic from one site to my pc and from my pc to that site, I can't figure out what the exact forumula is. Clicking on the new capture filter, I see that the formula "ip host host.example.com" appears. How do you use this formula? Is it not possible to replace it with the url of the site whose network traffic you want to capture?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-07-06 07:27:09 +0000

grahamb gravatar image

updated 2021-07-06 07:27:43 +0000

For a capture filter that restricts traffic to that to\from a particular host use host example.comreplacing "example.com" with the appropriate host name for the site, the portion of the URL that is between the scheme ("http://" or "https://") and the first trailing slash.

E.g. for the URL "https://www.bbc.co.uk/sport", the host name part is "www.bbc.co.uk" and the capture filter would be host www.bbc.co.uk.

Note however such a filter might not capture all traffic involved in visiting a web site as the page code may link to external resources, e.g. ads that your browser will retrieve and they may be on a different host that won't be included by the capture filter.

edit flag offensive delete link more

Comments

Hi, thanks, and so the "ip host" part should not be added? When adding a new capture filter, it automatically appears all at once "ip host host.example.com" which is what confused me.

nantix gravatar imagenantix ( 2021-07-06 07:36:47 +0000 )edit

"ip host host www.bbc.co.uk" is not a valid filter.

"ip host www.bbc.co.uk" is a valid filter that checks only for IPv4 traffic to and from www.bbc.co.uk (assuming www.bbc.co.uk has an IPv4 address, which it does).

"host www.bbc.co.uk" is a valid filter that checks for both IPv4 traffic (assuming www.bbc.co.uk has an IPv4 address, which it does) and IPv6 traffic (assuming www.bbc.co.uk has an IPv6 address, which it does, and that the OS's name-to-address routine doesn't "helpfully" mark the address as "unusable", which some do).

Guy Harris gravatar imageGuy Harris ( 2021-07-06 09:22:54 +0000 )edit

In case of insertion of an invalid capture filter wireshark will still capture all network traffic or will no capture start?

nantix gravatar imagenantix ( 2021-07-06 10:37:48 +0000 )edit

If the filter is syntactically incorrect Wireshark won't start a capture, the filter edit box will remain red and if you attempt to start the capture the status bar displays "Invalid capture filter".

If the filter is semantically incorrect, e.g. you typo an IP address, the capture will start but you won't get the results you might expect.

grahamb gravatar imagegrahamb ( 2021-07-06 11:23:40 +0000 )edit

Hi, ok, I did some tests, if I go to "capture" "capture filters", "add capture filters" and add a filter as you indicated, for example "host www.site.com" the box turns green indicating that the syntax is correct. Then I close Wireshark and reopen it and the screen to choose the network interface appears, for example "ethernet", and then I click to start the capture (while I browse on www.site.com) but it does not start the capture and in the bar above it asks me again to apply a filter, but for display, in the meantime, however, I see that everything is stopped and the capture with the capture filter has not started and by adding a filter for viewing with the same syntax as the capture one, the box becomes red, I understand that the syntax for view filters is different right? So I have to ...(more)

nantix gravatar imagenantix ( 2021-07-06 16:45:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-07-06 07:03:05 +0000

Seen: 1,442 times

Last updated: Jul 06 '21