Filtering using Wireshark

Wireshark, great tool, installed it countless times, looked at the data, got confused went away from it again.

Today I actually had a real reason to need to know how to filter because of a big work project. So.. After getting yourself a capture, I needed to see all comms in the capture that was related to the MAC address 08:00:0f:12:c5:74.

In the filter section enter in the following to only show parts of the capture which are related to that MAC.

eth.addr eq 08:00:0f:12:c5:74
or
eth.addr==08:00:0f:12:c5:74

For IP address use the following example

ip.addr eq 10.99.60.4
or
ip.addr==10.99.60.4

The expression button to the right of the filter field also contains all the options you could want to use. Bloody confusing first time you look at it, but keeping it simple, lets imagine you’re wanting the IP address 10.99.60.4 to be filtered again. Hit the expression button, scroll down to the Field Name of IP – Internet Protocol, scroll down again (alphabetical would be useful at this point Mr Wireshark Developers!) and you’ll find ip.addr click on that field name, then choose the Relation  ‘==’ and enter the IP address 10.99.60.4 into the value field. Hit okay and you’ll find all the relevant data being displayed in your capture now.

Hope this helps

Advertisements