Revision history - Ask Wireshark

How to use a short filter to capture only traffic to or from specified IP addresses

I just only care about two IP addresses, 10.86.50.153 and 10.86.50.152, but exclude any other traffic.

How to shorten the following Wireshark Capture Filter expression?

port 445 and ((src net 10.86.50.153 and dst net 10.86.50.153) or (src net 10.86.50.152 and dst net 10.86.50.153) or (src net 10.86.50.153 and dst net 10.86.50.152))

If I used the following filter expression,

port 445 and (src net 10.86.50.0/24 and dst net 10.86.50.0/24)

I will also display frames with IPv4 address equal to 10.56.50.27.

Some potentially possibly useful References:

How to use a short filter to capture only traffic to or from specified IP addresses

I just only care about two IP addresses, 10.86.50.153 and 10.86.50.152, but exclude any other traffic.

How to shorten the following Wireshark Capture Filter expression?

port 445 and ((src net 10.86.50.153 and dst net 10.86.50.153) or (src net 10.86.50.152 and dst net 10.86.50.153) or (src net 10.86.50.153 and dst net 10.86.50.152))

If I used the following filter expression,

port 445 and (src net 10.86.50.0/24 and dst net 10.86.50.0/24)

I will also display frames with IPv4 address equal to 10.56.50.27.

My environment,

``` +--------------+ +--------------+ +--------------+ | Client | | Proxy | | Server | | 10.86.50.153 |:50624 -> 445:| 10.86.50.153 |:53822 ->445:| 10.86.50.152 | +--------------+ +--------------+ +--------------+

+--------------+ 5 +--------------+ 5 +--------------+ | Client | 0 -> 4 | Proxy | 3 -> 4 | Server | | |:6 4:| |:8 4:| | | 10.86.50.153 | 2 <- 5 | 10.86.50.153 | 2 <- 5 | 10.86.50.152 | +--------------+ 4 +--------------+ 2 +--------------+

 Client                        Proxy                         Server

+--------------+ REQ +--------------+ REQ +--------------+ | |-----+ --> +---| |-----+ --> +---| | | 10.86.50.153 :50624| |445: 10.86.50.153 :53822| |445: 10.86.50.152 | | |-----+ <-- +---| |-----+ <-- +---| | +--------------+ RSP +--------------+ RSP +--------------+ ```

port 445 and 152<=ip[15:1] and ip[15:1] <=153 and 152<=ip[19:1] and ip[19:1] <=153

Some potentially possibly useful References:

How to use a short filter to capture only traffic to or from specified IP addresses

I just only care about two IP addresses, 10.86.50.153 and 10.86.50.152, but exclude any other traffic.

How to shorten the following Wireshark Capture Filter expression?

port 445 and ((src net 10.86.50.153 and dst net 10.86.50.153) or (src net 10.86.50.152 and dst net 10.86.50.153) or (src net 10.86.50.153 and dst net 10.86.50.152))

If I used the following filter expression,

port 445 and (src net 10.86.50.0/24 and dst net 10.86.50.0/24)

I will also display frames with IPv4 address equal to 10.56.50.27.

My environment,

```
+--------------+ +--------------+ +--------------+ | Client | | Proxy | | Server | | 10.86.50.153 |:50624 -> 445:| 10.86.50.153 |:53822 ->445:| 10.86.50.152 | +--------------+ +--------------+ +--------------+ +--------------+ +------------+ +--------------+ +-------------+ | Client | | Proxy | | Server | +------------+ +--------------+ +-------------+ 10.86.50.153 :50624 -> 445: 10.86.50.153 :53822 ->445: 10.86.50.152 10.86.50.152 +--------------+ 5 +--------------+ 5 +--------------+ | Client | 0 -> 4 | Proxy | 3 -> 4 | Server | | |:6 4:| |:8 4:| | | 10.86.50.153 | 2 <- 5 | 10.86.50.153 | 2 <- 5 | 10.86.50.152 | +--------------+ 4 +--------------+ 2 +--------------+ +--------------+ Client Proxy Server +--------------+ REQ +--------------+ REQ +--------------+ | |-----+ --> +---| |-----+ --> +---| | | 10.86.50.153 :50624| |445: 10.86.50.153 :53822| |445: 10.86.50.152 | | |-----+ <-- +---| |-----+ <-- +---| | +--------------+ RSP +--------------+ RSP +--------------+ ```

port 445 and 152<=ip[15:1] and ip[15:1] <=153 and 152<=ip[19:1] and ip[19:1] <=153

Some potentially possibly useful References:

IPv4 - Packet structure

Transmission Control Protocol - TCP segment structure

Wireshark - CaptureFilters - Examples

Chapter 4. Capturing Live Network Data - 4.10. Filtering while capturing

How to use a short filter to capture only traffic to or from specified IP addresses

I just only care about two IP addresses, 10.86.50.153 and 10.86.50.152, but exclude any other traffic.

How to shorten the following Wireshark Capture Filter expression?

port 445 and ((src net 10.86.50.153 and dst net 10.86.50.153) or (src net 10.86.50.152 and dst net 10.86.50.153) or (src net 10.86.50.153 and dst net 10.86.50.152))

If I used the following filter expression,

port 445 and (src net 10.86.50.0/24 and dst net 10.86.50.0/24)

I will also display frames with IPv4 address equal to 10.56.50.27.

My ~~environment,~~environment with Wireshark on 10.86.50.153,

+--------------+              +--------------+             +--------------+
|    Client    |              |     Proxy    |             |    Server    |
| 10.86.50.153 |:50624 -> 445:| 10.86.50.153 |:53822 ->445:| 10.86.50.152 |
+--------------+              +--------------+             +--------------+

+------------+            +--------------+           +-------------+
|   Client   |            |     Proxy    |           |   Server    |
+------------+            +--------------+           +-------------+
10.86.50.153 :50624 -> 445: 10.86.50.153 :53822 ->445: 10.86.50.152


+--------------+ 5      +--------------+ 5      +--------------+
|    Client    | 0 -> 4 |     Proxy    | 3 -> 4 |    Server    |
|              |:6    4:|              |:8    4:|              |
| 10.86.50.153 | 2 <- 5 | 10.86.50.153 | 2 <- 5 | 10.86.50.152 |
+--------------+ 4      +--------------+ 2      +--------------+

     Client                        Proxy                         Server
+--------------+       REQ     +--------------+       REQ      +--------------+
|              |-----+ --> +---|              |-----+ -->  +---|              |
| 10.86.50.153 :50624|     |445: 10.86.50.153 :53822|      |445: 10.86.50.152 |
|              |-----+ <-- +---|              |-----+ <--  +---|              |
+--------------+       RSP     +--------------+       RSP      +--------------+

port 445 and 152<=ip[15:1] and ip[15:1] <=153 and 152<=ip[19:1] and ip[19:1] <=153

Some potentially possibly useful References:

How to use a short filter to capture only traffic to or from specified IP addresses

I just only care about two IP addresses, 10.86.50.153 and 10.86.50.152, but exclude any other traffic.

How to shorten the following Wireshark Capture Filter expression?

port 445 and ((src net 10.86.50.153 and dst net 10.86.50.153) or (src net 10.86.50.152 and dst net 10.86.50.153) or (src net 10.86.50.153 and dst net 10.86.50.152))

If I used the following filter expression,

port 445 and (src net 10.86.50.0/24 and dst net 10.86.50.0/24)

I It will also display frames with IPv4 address equal to 10.56.50.27, even 10.86.2.27.

My environment with Wireshark on 10.86.50.153,

+--------------+              +--------------+             +--------------+
|    Client    |              |     Proxy    |             |    Server    |
| 10.86.50.153 |:50624 -> 445:| 10.86.50.153 |:53822 ->445:| 10.86.50.152 |
+--------------+              +--------------+             +--------------+

+------------+            +--------------+           +-------------+
|   Client   |            |     Proxy    |           |   Server    |
+------------+            +--------------+           +-------------+
10.86.50.153 :50624 -> 445: 10.86.50.153 :53822 ->445: 10.86.50.152


+--------------+ 5      +--------------+ 5      +--------------+
|    Client    | 0 -> 4 |     Proxy    | 3 -> 4 |    Server    |
|              |:6    4:|              |:8    4:|              |
| 10.86.50.153 | 2 <- 5 | 10.86.50.153 | 2 <- 5 | 10.86.50.152 |
+--------------+ 4      +--------------+ 2      +--------------+

     Client                        Proxy                         Server
+--------------+       REQ     +--------------+       REQ      +--------------+
|              |-----+ --> +---|              |-----+ -->  +---|              |
| 10.86.50.153 :50624|     |445: 10.86.50.153 :53822|      |445: 10.86.50.152 |
|              |-----+ <-- +---|              |-----+ <--  +---|              |
+--------------+       RSP     +--------------+       RSP      +--------------+

port 445 and 152<=ip[15:1] and ip[15:1] <=153 and 152<=ip[19:1] and ip[19:1] <=153

Some potentially possibly useful References:

How to use a short filter to capture only traffic to or from specified IP addresses

I just only care about two IP addresses, 10.86.50.153 and 10.86.50.152, but exclude any other traffic.

How to shorten the following Wireshark Capture Filter expression?

port 445 and ((src net 10.86.50.153 and dst net 10.86.50.153) or (src net 10.86.50.152 and dst net 10.86.50.153) or (src net 10.86.50.153 and dst net 10.86.50.152))

If I used the following filter expression,

port 445 and (src net 10.86.50.0/24 and dst net 10.86.50.0/24)

It will also display frames with IPv4 address equal to 10.56.50.27~~, even~~ .

It will show traffic to or from 10.86.2.2710.86.2.37 for port 445 and net 10.86.50.0/24.

My environment with Wireshark on 10.86.50.153,

+--------------+              +--------------+             +--------------+
|    Client    |              |     Proxy    |             |    Server    |
| 10.86.50.153 |:50624 -> 445:| 10.86.50.153 |:53822 ->445:| 10.86.50.152 |
+--------------+              +--------------+             +--------------+

+------------+            +--------------+           +-------------+
|   Client   |            |     Proxy    |           |   Server    |
+------------+            +--------------+           +-------------+
10.86.50.153 :50624 -> 445: 10.86.50.153 :53822 ->445: 10.86.50.152


+--------------+ 5      +--------------+ 5      +--------------+
|    Client    | 0 -> 4 |     Proxy    | 3 -> 4 |    Server    |
|              |:6    4:|              |:8    4:|              |
| 10.86.50.153 | 2 <- 5 | 10.86.50.153 | 2 <- 5 | 10.86.50.152 |
+--------------+ 4      +--------------+ 2      +--------------+

     Client                        Proxy                         Server
+--------------+       REQ     +--------------+       REQ      +--------------+
|              |-----+ --> +---|              |-----+ -->  +---|              |
| 10.86.50.153 :50624|     |445: 10.86.50.153 :53822|      |445: 10.86.50.152 |
|              |-----+ <-- +---|              |-----+ <--  +---|              |
+--------------+       RSP     +--------------+       RSP      +--------------+

port 445 and 152<=ip[15:1] and ip[15:1] <=153 and 152<=ip[19:1] and ip[19:1] <=153

Some potentially possibly useful References:

IPv4 - Packet structure
Transmission Control Protocol - TCP segment structure
Wireshark - CaptureFilters - Examples
Chapter 4. Capturing Live Network Data - 4.10. Filtering while capturing > A primitive is simply one of the following: [src|dst] host <host>
> This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected.

Revision history [back]

How to use a short filter to capture only traffic to or from specified IP addresses

How to use a short filter to capture only traffic to or from specified IP addresses

How to use a short filter to capture only traffic to or from specified IP addresses

How to use a short filter to capture only traffic to or from specified IP addresses

How to use a short filter to capture only traffic to or from specified IP addresses

How to use a short filter to capture only traffic to or from specified IP addresses