Ask Your Question
0

display filter for ip & port combination

asked 2022-07-19 09:37:56 +0000

nimrodg gravatar image

updated 2022-07-21 08:22:48 +0000

is there a way to filter by ip.addr & tcp.port (or udp.port) cobination?

you can use a convoluted ((ip.src==... && tcp.srcport==...) || (ip.dst==... && tcp.dstport==...)), but this gets out of hand once you also consider negation, as well as complex filters.

is there a way to use something like tcp.endpoint==8.8.8.8:443 or udp.endpoint.dst==8.8.8.8:53?

if not, then can I suggest this as a feature request? :)

edit retag flag offensive close merge delete

Comments

fixed the title of the post that was mistakenly cut while posting

nimrodg gravatar imagenimrodg ( 2022-07-21 08:23:24 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
1

answered 2022-07-19 11:46:20 +0000

Jaap gravatar image

That's where display filter macros come into view.

edit flag offensive delete link more

Comments

Interesting! I somehow managed to miss macros until now... Will give it a try - Thanks! (I still think this should be a feature though :)

nimrodg gravatar imagenimrodg ( 2022-07-20 18:53:51 +0000 )edit
add a comment
0

answered 2022-07-20 18:22:54 +0000

grahamb gravatar image

There are filters for both ip address (ip.addr) and tcp port (tcp.port) that will filter both "directions" for the respective protocols, e.g.

ip.addr == 1.2.3.4 is equivalent to (ip.src == 1.2.3.4 || ip.dst == 1.2.3.4)

and

tcp.port == 12345 is equivalent to (tcp.srcport == 12345 || tcp.dstport == 12345)

Similarly there are udp.port and sctp.port fields, and probably many others I've never need to use.

edit flag offensive delete link more

Comments

Thanks, but this doesn't answer my question. I need to filter on a combination of ip&port on the same end-point

nimrodg gravatar imagenimrodg ( 2022-07-20 18:51:30 +0000 )edit

ip.addr and tcp.port can be used in combination, e.g.

(ip.addr == 1.2.3.4) && (tcp.port == 12345)
grahamb gravatar imagegrahamb ( 2022-07-20 20:24:39 +0000 )edit

Of course, but this will also catch packets where ip.src==1.2.3.4 && tcp.dstport==12345, which misses the point of my original post

nimrodg gravatar imagenimrodg ( 2022-07-21 03:36:23 +0000 )edit

You asked for something like tcp.endpoint == 8.8.8.8:53 which implies ip.src and ip.dst are equivalent and similarly for tcp.srcport and tcp.dstport, hence my answer.

grahamb gravatar imagegrahamb ( 2022-07-21 07:54:24 +0000 )edit

You missed my point that the IP & port should be on the same end of the connection

nimrodg gravatar imagenimrodg ( 2022-07-21 08:20:37 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2022-07-19 09:37:56 +0000

Seen: 5,022 times

Last updated: Jul 21 '22