![]() ![]() If you only wanted to filter http traffic to and from that host, you could do this: not (host 192.168.5. For example, to keep from capturing http and ssh traffic to/from any host and any packets to or from 192.168.5.22, not host 192.168.5.22 and not port 80 and not port 22 ![]() The downside is those packets are not captured if you later want to inspect them and you can't change the filter selected this way during a capture session. It makes the capture take less memory and disk by avoiding capturing packets you're telling it to ignore. While not strictly your question, I prefer to do filtering in the capture filter (double click the interface name in the capture-options dialog), whose syntax is exactly like tcpdump. Tcp.dstport != 80 suffers from a similar problem having tcp.dstport != 80 turns out to mean "match ONLY tcp traffic, but only tcp that is not dstport = 80" Whether host 172.16.10.202, which is a capture filter, or ip.addr 172.16.10.202, which is a display filter, is accepted as a filter depends only on where you specify the filter. ![]() but trying to filter the display so that it shows three IPs results in the majority of the capture being displayed. I can successfully filter for two IPs, ip.addrx.x.x.x & ip.addry.y.y.y. Here's a complete example to filter http as well: not ip.addr = 192.168.5.22 and not tcp.dstport = 80 Please post any new questions and answers at. For example, when connecting to 192.168.5.254 from 192.168.5.22, ip.addr != 192.168.5.22 doesn't match *.22 IP, it matches *.254 and thus the packet matches the filter expression. It might seem more logical to write it as ip.addr != 192.168.5.22, but while that's a valid expression, it will match the other end of the connection as not being the specific ip and still be true. ![]() You could also write it like so: not (ip.addr = 192.168.5.22) With the negative match like you have, you need both conditions to be true to filter off your IP, thus and instead of or. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |