Reputation: 1656
Wireshark filter for filtering both destination-source IP address and the protocol
I want to filter Wireshark's monitoring results according to a filter combination of source, destination ip addresses and also the protocol. So, right now I'm able to filter out the activity for a destination and source ip address using this filter expression: (ip.dst == xxx.xxx.xxx.xxx && ip.src == xxx.xxx.xxx.xxx) || (ip.dst == xxx.xxx.xxx.xxx && ip.src == xxx.xxx.xxx.xxx)
This gives me request response activity of the 2 ip addresses which are destination and source both depending upon whether it is a request or a response. But now, I am getting results for HTTP and TCP both. I want to see results only for HTTP.
Any suggestions how to do that?
Upvotes: 19
Views: 81303
Answers (2)
Reputation: 51
I like (ip.addr==XXX.XXX.XXX.XXX && http) for a single host. You could also do (ip.addr==XXX.XXX.XXX.XXX or XXX.XXX.XXX.XXX && http) for two hosts.
Upvotes: 5
Reputation: 1084
(ip.dst == xxx.xxx.xxx.xxx && ip.src == xxx.xxx.xxx.xxx) || (ip.dst == xxx.xxx.xxx.xxx && ip.src == xxx.xxx.xxx.xxx) && http
Upvotes: 42
Related Questions
- How to filter by IP address in Wireshark?
- Multiple protocol filtering on Wireshark
- Why can't I filter http in Wireshark?
- Wireshark not capturing any packets when I apply 'tcp port http' filter
- Wireshark – HTTP filter not working on macOS
- Wireshark display filter where source address in not an ip-address
- How to filter TCP option with wireshark?
- how to capture HTTP packets in wireshark
- Wireshark saving filter result
- Wireshark Display Filter for Unique Source/Destination IP and Protocol