Results 1 to 8 of 8

Thread: Wireshark capture filters are kicking my ass

  1. #1
    Just burned his ISO GrumpyOldGuy's Avatar
    Join Date
    Jan 2011
    Posts
    13

    Default Wireshark capture filters are kicking my ass

    So this is a typical post from me, senile old sot that I am. No need to go through rehashing my miseries learning Linux and BT, suffice to say that I've been up and (somewhat) operational for a few weeks now.

    But Wireshark capture filters (NOT display filters) are beating me down. I get that they use the tcpdump language, but I can't seem to get anything but the simplest possible filters to work (e.g. capturing for one IP works fine, but more complex expressions I can't get to function).

    The logic of what I am trying to do is simple - I want to capture traffic on a wireless network, but exclude certain devices (my dork roommates playing endless online games, which make the cap files enormous). I want to exclude traffic based on mac address rather than IP, because DHCP (duh) means that even when I filter on IPs, if the roomies turn off their game boxes and then log back on they (sometimes) get a different IP and my capture gets swamped.

    Display filters work fine, but I want to be able to capture for extended periods of time and eventually pick up who else (sneaky bastards) is occasionally using our net. By excluding all of the game traffic by using a not-equal-to mac filter I can capture for long enough to do that. If I could get the damn CAPTURE filter to work on more than one mac address... I can't even find good examples of capture filters on the net, just the most basic stuff that I can already do.

    Help? Pointers? Just some complicated examples would probably be enough for me to figure out how to write my own filter correctly.

    Thanks from a Grumpy Old Guy

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Wireshark capture filters are kicking my ass

    Probably the best source on the web would be here
    http://wiki.wireshark.org/CaptureFilters
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Just burned his ISO
    Join Date
    Feb 2011
    Posts
    13

    Default Re: Wireshark capture filters are kicking my ass

    if you know MAC of gamer guy you can filter his traffic out quite easy

    go to Display filter, click NEW to create new filter, name it something like no gamers here

    and in second line type

    !eth.addr==00:00:00:00:00:00

    replace zeros with MAC of your friend and you will filter his traffic out.

    hope this help
    best
    D

  4. #4
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    2

    Default Re: Wireshark capture filters are kicking my ass

    Not sure if this actually works but looking at the syntax in the page Amael posted i think you are looking for something like:

    !eth.addr==00:00:00:00:00:00 & !eth.addr==00:00:00:00:00:00
    (not this MAC AND not this MAC)

    Hope it helps?

  5. #5
    Just burned their ISO abelwho's Avatar
    Join Date
    Jan 2010
    Location
    USA
    Posts
    12

    Cool Re: Wireshark capture filters are kicking my ass

    Hi,
    You might try a book on wireshark my Laura Chappell. I plan to buy the book.
    Thank

  6. #6
    Just burned his ISO GrumpyOldGuy's Avatar
    Join Date
    Jan 2011
    Posts
    13

    Default Re: Wireshark capture filters are kicking my ass

    Quote Originally Posted by PrivateAlpha View Post
    Not sure if this actually works but looking at the syntax in the page Amael posted i think you are looking for something like:

    !eth.addr==00:00:00:00:00:00 & !eth.addr==00:00:00:00:00:00
    (not this MAC AND not this MAC)

    Hope it helps?
    Yes - that's the point. I can use display filters fine, but haven't been able to get capture filters other than the most simplistic to work. Whenever I try to add more than one parameter (i.e. the '&' concept in your post) the filter doesn't function. E.G. I can run a capture filter to sniff traffic only on a specific BSSID, or I can exclude a specific host based on MAC, but I can't specify the BSSID and also exclude a specific station MAC using the same filter. Easy to do in display filters, but that's not the same thing.

    I'll post back with some specifics and maybe someone can work out what I'm doing wrong syntactically... because the logic is really simple.

  7. #7
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Re: Wireshark capture filters are kicking my ass

    Don't use "&" and "!". Use "and" and "not". Look at the examples that are on the page Archangel-Amael posted. Again: http://wiki.wireshark.org/CaptureFilters

    It should be
    Code:
    not dst eth.addr==00:00:00:00:00:00 and  not dst eth.addr==00:00:00:00:00:00

    Laura Chappell's Wireshark University offers some free online sessions. http://www.wiresharktraining.com/

    Get her book. It's a great reference, and well worth the price. http://www.wiresharkbook.com/
    Thorn
    Stop the TSA now! Boycott the airlines.

  8. #8
    Just burned his ISO GrumpyOldGuy's Avatar
    Join Date
    Jan 2011
    Posts
    13

    Default Re: Wireshark capture filters are kicking my ass

    Well, I figured it out. I hate it when that happens. I finally crack and post here, then figure it out on my own. Duh.

    Anyway, it's pretty dumb, but I'll 'fess up. Basically, I was going to the "Capture Filters" dialogue box, where you create and manage Capture Filters, and filling one out, then hitting "ok." I thought that then APPLIED the filter.

    Well, it doesn't. It just creates it. To actually apply a capture filter in Wireshark you have to:

    CAPTURE > INTERFACES select OPTIONS next to the one you want to use, then from the options dialogue box, select CAPTURE FILTERS, select the capture filter you want, hit ok, then hit START for the interface you picked (and for which you just designated a filter). Voila, the capture will start and the selected capture filter will actually be applied. Go figure.

    And for what it's worth, once I worked out the correct sequence to apply the filter, using '&&' and '!' as part of the filter actually worked fine. Now if I can just figure out why the version of Wireshark on my BT4r2 installation won't apply WEP keys I'll be golden... but that's another post.

    Thanks to all who weighed in on this!

Similar Threads

  1. kicking security through the battery charger
    By m-1-k-3 in forum Tutorials und Howtos
    Replies: 1
    Last Post: 03-28-2010, 02:58 PM
  2. Wireshark capture problems
    By halfdone in forum OLD Newbie Area
    Replies: 27
    Last Post: 12-31-2009, 03:52 PM
  3. Can't capture TCP with Wireshark
    By johnthethird in forum OLD Newbie Area
    Replies: 1
    Last Post: 06-03-2009, 03:20 AM
  4. iwl4965, wireshark and kismet capture only beacons
    By oniric in forum OLD BT3final Support
    Replies: 0
    Last Post: 07-17-2008, 02:17 PM
  5. Why the hell is an Intel pro 2200BG kicking my Ubiquiti SRC's ASS??
    By zambuka42 in forum OLD BackTrack v2.0 Final
    Replies: 9
    Last Post: 02-27-2008, 05:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •