Wireshark – How to Filter a Capture by Source and Destination IPv4 Address

packet-analysiswireshark

I have a bunch of wireshark captures I need to mine data from. Tshark seems to fit the bill but this doesn't support filtering (-f) by the look of it, I simply get:

Using:

tshark -x -r Run18.pcapng -f dst 10.53.30.41

Is there a way round this or is there some other tool that could do it – ideally producing the same sort of output (bytes and text)?

Best Answer

Tshark is actually extremely powerful for filtering, and has two kinds: capture filters wih -f and display filters with -Y

Tshark documentation says:

Capture filters (like tcp port 80) are not to be confused with display filters (like tcp.port == 80). The former are much more limited and are used to reduce the size of a raw packet capture. The latter are used to hide some packets from the packet list.

See

Your pcap files already have been captured, which means that you don't use a capture filter on them, you use a display filter.

$ tshark -r TCPD -Y 'ip.dst == 172.30.20.8'
    1   0.000000 172.30.20.122 → 172.30.20.8  ICMP 98 Echo (ping) request  id=0x4292, seq=1/256, ttl=64

Note the quotes to protect the filter from the shell.

Best Answer

Related Solutions

Packet Analysis – How to Use Wireshark to Capture CSMA/CD

How to Use Wireshark HTTP Filter

Related Topic