Wireshark capture filters are kicking my ass

[GrumpyOldGuy]

So this is a typical post from me, senile old sot that I am. No need to go through rehashing my miseries learning Linux and BT, suffice to say that I've been up and (somewhat) operational for a few weeks now.

But Wireshark capture filters (NOT display filters) are beating me down. I get that they use the tcpdump language, but I can't seem to get anything but the simplest possible filters to work (e.g. capturing for one IP works fine, but more complex expressions I can't get to function).

The logic of what I am trying to do is simple - I want to capture traffic on a wireless network, but exclude certain devices (my dork roommates playing endless online games, which make the cap files enormous). I want to exclude traffic based on mac address rather than IP, because DHCP (duh) means that even when I filter on IPs, if the roomies turn off their game boxes and then log back on they (sometimes) get a different IP and my capture gets swamped.

Display filters work fine, but I want to be able to capture for extended periods of time and eventually pick up who else (sneaky bastards) is occasionally using our net. By excluding all of the game traffic by using a not-equal-to mac filter I can capture for long enough to do that. If I could get the damn CAPTURE filter to work on more than one mac address... I can't even find good examples of capture filters on the net, just the most basic stuff that I can already do.

Help? Pointers? Just some complicated examples would probably be enough for me to figure out how to write my own filter correctly.

Thanks from a Grumpy Old Guy

[Archangel-Amael]

Probably the best source on the web would be here
http://wiki.wireshark.org/CaptureFilters

[DaveH]

if you know MAC of gamer guy you can filter his traffic out quite easy

go to Display filter, click NEW to create new filter, name it something like no gamers here

and in second line type

!eth.addr==00:00:00:00:00:00

replace zeros with MAC of your friend and you will filter his traffic out.

hope this help
best
D

[PrivateAlpha]

Not sure if this actually works but looking at the syntax in the page Amael posted i think you are looking for something like:

!eth.addr==00:00:00:00:00:00 & !eth.addr==00:00:00:00:00:00
(not this MAC AND not this MAC)

Hope it helps?

[abelwho]

Hi,
You might try a book on wireshark my Laura Chappell. I plan to buy the book.
Thank

[GrumpyOldGuy]

Not sure if this actually works but looking at the syntax in the page Amael posted i think you are looking for something like:

!eth.addr==00:00:00:00:00:00 & !eth.addr==00:00:00:00:00:00
(not this MAC AND not this MAC)

Hope it helps?

Yes - that's the point. I can use display filters fine, but haven't been able to get capture filters other than the most simplistic to work. Whenever I try to add more than one parameter (i.e. the '&' concept in your post) the filter doesn't function. E.G. I can run a capture filter to sniff traffic only on a specific BSSID, or I can exclude a specific host based on MAC, but I can't specify the BSSID and also exclude a specific station MAC using the same filter. Easy to do in display filters, but that's not the same thing.

I'll post back with some specifics and maybe someone can work out what I'm doing wrong syntactically... because the logic is really simple.

[Thorn]

Don't use "&" and "!". Use "and" and "not". Look at the examples that are on the page Archangel-Amael posted. Again: http://wiki.wireshark.org/CaptureFilters

It should be

Code:

not dst eth.addr==00:00:00:00:00:00 and  not dst eth.addr==00:00:00:00:00:00

Laura Chappell's Wireshark University offers some free online sessions. http://www.wiresharktraining.com/

Get her book. It's a great reference, and well worth the price. http://www.wiresharkbook.com/

[GrumpyOldGuy]

Well, I figured it out. I hate it when that happens. I finally crack and post here, then figure it out on my own. Duh.

Anyway, it's pretty dumb, but I'll 'fess up. Basically, I was going to the "Capture Filters" dialogue box, where you create and manage Capture Filters, and filling one out, then hitting "ok." I thought that then APPLIED the filter.

Well, it doesn't. It just creates it. To actually apply a capture filter in Wireshark you have to:

CAPTURE > INTERFACES select OPTIONS next to the one you want to use, then from the options dialogue box, select CAPTURE FILTERS, select the capture filter you want, hit ok, then hit START for the interface you picked (and for which you just designated a filter). Voila, the capture will start and the selected capture filter will actually be applied. Go figure.

And for what it's worth, once I worked out the correct sequence to apply the filter, using '&&' and '!' as part of the filter actually worked fine. Now if I can just figure out why the version of Wireshark on my BT4r2 installation won't apply WEP keys I'll be golden... but that's another post.

Thanks to all who weighed in on this!