how make ip filter in tshark????

asked 2019-03-08 19:36:26 +0000

mefisto.fels gravatar image

I need to implement an ip filter in tshark but I get syntax error, I can not find any example. please give me an example of how to filter the IP traffic coming from or destined for a specific ip.

Do you want a capture filter or a display filter? The syntax is different, there are Wiki pages for capture filters and display filters.

You may also run into issues with your shell and quoting, what is your OS and shell? Can you amend your question with an example of the command line you have tried?

grahamb gravatar imagegrahamb ( 2019-03-08 19:45:06 +0000 )edit

the line that I used is -f host xx.xx.xx.xx -f src host xxxx -f dst host xxxxx and they all give me syntax error

mefisto.fels gravatar imagemefisto.fels ( 2019-03-08 20:07:12 +0000 )edit

We already use that form, is there another variant?

mefisto.fels gravatar imagemefisto.fels ( 2019-03-08 21:15:58 +0000 )edit

We write it exactly like this: tshark -i 2 -f host > test.pcap

mefisto.fels gravatar imagemefisto.fels ( 2019-03-08 21:33:56 +0000 )edit

You haven't stated the OS and shell. That affects quoting.

Try adding double quotes around the "host" as shown in my answer.

grahamb gravatar imagegrahamb ( 2019-03-08 21:40:02 +0000 )edit

answered 2019-03-08 20:55:18 +0000

grahamb gravatar image

updated 2019-03-08 20:55:51 +0000

As per the first example on the Capture Filter Wiki page, for all traffic to or from a specific IP use a capture filter of host x.x.x.x. Depending on your shell you may need to quote the arguments, e.g.

tshark -i ... -f "host x.x.x.x"
Asked: 2019-03-08 19:36:26 +0000

Seen: 25,195 times

Last updated: Mar 08 '19