Filtering using Wireshark

Wireshark, great tool, installed it countless times, looked at the data, got confused went away from it again.

Today I actually had a real reason to need to know how to filter because of a big work project. So.. After getting yourself a capture, I needed to see all comms in the capture that was related to the MAC address 08:00:0f:12:c5:74.

In the filter section enter in the following to only show parts of the capture which are related to that MAC.

eth.addr eq 08:00:0f:12:c5:74
or
eth.addr==08:00:0f:12:c5:74

For IP address use the following example

ip.addr eq 10.99.60.4
or
ip.addr==10.99.60.4

The expression button to the right of the filter field also contains all the options you could want to use. Bloody confusing first time you look at it, but keeping it simple, lets imagine you’re wanting the IP address 10.99.60.4 to be filtered again. Hit the expression button, scroll down to the Field Name of IP – Internet Protocol, scroll down again (alphabetical would be useful at this point Mr Wireshark Developers!) and you’ll find ip.addr click on that field name, then choose the Relation  ‘==’ and enter the IP address 10.99.60.4 into the value field. Hit okay and you’ll find all the relevant data being displayed in your capture now.

Hope this helps

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s