Query On Wireshark Filter with two protocol

asked 2022-07-08 13:39:55 +0000

Suvajit Basu

1 ●4 ●4 http://in.linkedin.com...

updated 2022-07-08 14:58:03 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23835 ●4 ●973 ●227 https://www.wireshark.org

I am new to wireshark and like to filter dns & ldap with source and destination IP. Below filters sooner i apply them to execute , Wireshark filter field turns into yellow with tangle mark.

dns or ldap and (ip.src==10.0.20.62)  
dns or ldap and (ip.dst==10.0.20.62)

When i try with individual filter , it works fine but i need to two times and its time consuming process as our cap file is more then 30 GB.

dns and (ip.src==10.0.20.62)  
ldap and (ip.src==10.0.20.62)

Is there are any way to combine both the protocols in one filter command against Ip.src or ip.dst to avoid running two times.

Kindly advice how to correct the filters as i am struggling from past days.

Thanks a lot in advice, Suvajit Basu

edit retag flag offensive close merge delete

add a comment

answered 2022-07-08 15:05:37 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

Wireshark filter field turns into yellow with tangle mark.

Wireshark is warning you that the filter may not work as you intended. This is due to an apparent ambiguity with respect to logical operator precedence between and and or, which unfortunately isn't well documented on the wireshark-filter man page.

In the old days, logical or took precedence over logical and, but that was changed beginning with the Wireshark 3.7.0 development release, soon to become Wireshark 4.0. In any case, it's probably best to use parentheses to avoid any such ambiguities (and to avoid the yellow display filter warning).

So, if you want a filter that matches either DNS or LDAP traffic, but only when both the IP source and destination addresses are 10.0.20.62, then you should be able to use a filter such as this:

(dns or ldap) and (ip.src==10.0.20.62 and ip.dst==10.0.20.62)

For the second set of filters you provided, they can be combined as follows:

(dns or ldap) and (ip.src==10.0.20.62)

edit flag offensive delete link

Comments

There is an ip.addr field that tests against both ip.src and ip.dst. Using this gives:

(dns or ldap) and (ip.addr == 10.0.20.62)

If the file is big, you might want to use the ip.addr filter on its own and then save just the displayed packets in a file purely for that address.

grahamb ( 2022-07-08 15:11:55 +0000 )edit

Wow ..Thank you cmaynard for your kind response & provided the solution.

I am running your filer now and did not got any yellow triangle warnings.

I will keep you updated shortly.

Thanks a lot once again.

Regards, Suvajit Basu

Suvajit Basu ( 2022-07-08 15:18:46 +0000 )edit

Ok I see . Thank you so much for your help. Let me try and update you.

Suvajit Basu ( 2022-07-08 15:23:33 +0000 )edit

Hmm, I'm not sure what happened to @grahamb's answer, but certainly if you're looking for packets with either the source or destination IP address set to 10.0.20.62, then you can use the filter @grahamb provided above, which is basically just a shorter and easier way of writing, (dns or ldap) and (ip.src == 10.0.20.62 or ip.dst == 10.0.20.62).

cmaynard ( 2022-07-08 15:57:40 +0000 )edit

@cmaynard, I turned it into a comment to help the flow look a bit better.

grahamb ( 2022-07-08 16:14:36 +0000 )edit

see more comments

Query On Wireshark Filter with two protocol

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Query On Wireshark Filter with two protocol edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Query On Wireshark Filter with two protocol