Display Filter by advertising Router-ID:
This display filter will get you close as I can come up with...
ospf.msg.dbdesc == 1 and ospf contains <adv-router-id-as-hex>
For instance, if your advertising router is 1.1.1.1...
ospf.msg.dbdesc == 1 and ospf contains 01.01.01.01
However, the problem is that contains 01.01.01.01
matches any string contents with 01.01.01.01, so both 01.01.01.01 or 01.01.01.01.ff could match... furthermore, it's possible that some other packet in the DBD also contains a reference to that router-id.
Display Filter by advertising Link-State ID:
This is a little easier, because there is a better chance to find a unique string; as long as you know the type of LSA you're looking for. The OSPF RFC requires the packet to get sent with <lsa-type-4bits>.<link-id-4bytes>
, so the display filter is:
ospf.msg.dbdesc == 1 and ospf contains <lsa-type>.<link-id>
For example, the display filter to find a Network Summary LSA (LSA Type 3) with the ID of 10.4.27.0 (hex 0a.04.1b.00):
ospf.msg.dbdesc == 1 and ospf contains 03.0a.04.1b.00
Another example, the display filter to find an External LSA (LSA Type 5) with the ID of 10.4.27.0 (hex 0a.04.1b.00):
ospf.msg.dbdesc == 1 and ospf contains 05.0a.04.1b.00
FYI, these are the numbers corresponding to the LSA types
The use of the NOT (!=) operator in Wireshark comes with a caveat, as mentioned in the
documentation
6.4.4. A common mistake
Warning! Using the != operator on combined expressions like: eth.addr,
ip.addr, tcp.port, udp.port and alike will probably not work as
expected!
Often people use a filter string to display something like ip.addr ==
1.2.3.4 which will display all packets containing the IP address 1.2.3.4.
Then they use ip.addr != 1.2.3.4 to see all packets not containing the
IP address 1.2.3.4 in it. Unfortunately, this does not do the
expected.
Instead, that expression will even be true for packets where either
source or destination IP address equals 1.2.3.4. The reason for this,
is that the expression ip.addr != 1.2.3.4 must be read as "the packet
contains a field named ip.addr with a value different from 1.2.3.4".
As an IP datagram contains both a source and a destination address,
the expression will evaluate to true whenever at least one of the two
addresses differs from 1.2.3.4.
If you want to filter out all packets containing IP datagrams to or
from IP address 1.2.3.4, then the correct filter is !(ip.addr ==
1.2.3.4) as it reads "show me all the packets for which it is not true that a field named ip.addr exists with a value of 1.2.3.4", or in
other words, "filter out all packets for which there are no
occurrences of a field named ip.addr with the value 1.2.3.4".
It might be that for your specific filter at hand, the current capture are displaying the same results, but it might give you a different result with a different capture
"http.host" means any packet which have HTTP hosts
"http.host != "" " means any packet which http.hosts isn't empty.
How will the second one react if you do not have http.host at all (ie: non-http traffic?) you might want to check that
Best Answer
According to: https://msdn.microsoft.com/en-us/library/windows/desktop/dd815243%28v=vs.85%29.aspx
Wireless Hosted Networking creates virtual wireless adapters, including a SoftAP adapter.
If that adapter shows up in the list of interfaces Wireshark can capture on, choosing the SoftAP adapter instead of the adapter your computer uses for it's Internet connection should narrow down what packets you see and let you see the iPhone's Wi-Fi IP and MAC addresses, which will both be different from your computer's addresses. If you've been capturing on the hosting computer's Internet-facing interface, you're probably seeing the iPhone's traffic after it gets NATed to the same IP and MAC addresses as your computer.
Once you switch which interface you're capturing on, you can filter by the MAC address of your iPhone:
https://ask.wireshark.org/questions/14368/capture-filter-mac
You can find an iPhone's Wi-Fi MAC address in:
Settings: General: About
under "Wi-Fi Address"
You can also filter on the IP address of the iPhone. If you can't figure that address out with a short capture on the AP interface, you can find it by tapping the blue-circled "i" next to the SSID (network name) of your hosted Wi-Fi in Settings: Wi-Fi.