Wireshark filtering for ip-port pair(Display filter)

wireshark
Savage Reader picture Savage Reader · May 29, 2013 · Viewed 32.8k times · Source

I'd like to know how to make a display filter for ip-port in wireshark.

So, for example I want to filter ip-port 10.0.0.1:80, so it will find all the communication to and from 10.0.0.1:80, but not communication from 10.0.0.1:235 to some ip on port 80.

Answer

user862787 picture user862787 · May 30, 2013

I want to filter out ip-port pair for any protocol that suports ports. Either tcp or udp. That ip-por pair can contact any other ip on any port.

(ip.src == XXX.XXX.XXX.XXX && (tcp.srcport == YYY || udp.srcport == YYY)) || (ip.dst == XXX.XXX.XXX.XXX && (tcp.dstport == YYY || udp.dstport == YYY) will match:

  • all packets coming from IPv4 address XXX.XXX.XXX.XXX and TCP or UDP port YYY;
  • all packets going to IPv4 address XXX.XXX.XXX.XXX and TCP or UDP port YYY;

which sounds as if it's what you want. (If it's not what you want, you'll have to be even more specific and precise about what you want.)

Related questions

How to filter by IP address in Wireshark?

I tried dst==192.168.1.101 but only get : Neither "dst" nor "192.168.1.101" are field or protocol names. The following display filter isn't a valid display filter: dst==192.168.1.101

Read More
Capturing mobile phone traffic on Wireshark

How can I capture mobile phone traffic on Wireshark?

Read More
Wireshark localhost traffic capture

I wrote a simple server app in C which runs on localhost. How to capture localhost traffic using Wireshark?

Read More