Wireshark commands

Some Wireshark filter fields match against multiple protocol fields. For example, “ip.addr” matches against both the IP source and destination addresses in the IP header. The same is true for “tcp.port”, “udp.port”, “eth.addr”, and others. It’s important to note that

  •  ip.addr == 10.43.54.65

    is equivalent to

     ip.src == 10.43.54.65 or ip.dst == 10.43.54.65

This can be counterintuitive in some cases. Suppose we want to filter out any traffic to or from 10.43.54.65. We might try the following:

  •  ip.addr != 10.43.54.65

    which is equivalent to

     ip.src != 10.43.54.65 or ip.dst != 10.43.54.65

This translates to “pass all traffic except for traffic with a source IPv4 address of 10.43.54.65 and a destination IPv4 address of 10.43.54.65″, which isn’t what we wanted.

Instead we need to negate the expression, like so:

  •  ! ( ip.addr == 10.43.54.65 )

    which is equivalent to

     ! (ip.src == 10.43.54.65 or ip.dst == 10.43.54.65)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.