Wireshark filtering for ip-port pair(Display filter)

Question

I'd like to know how to make a display filter for ip-port in wireshark.

So, for example I want to filter ip-port 10.0.0.1:80, so it will find all the communication to and from 10.0.0.1:80, but not communication from 10.0.0.1:235 to some ip on port 80.

Answer 1

I want to filter out ip-port pair for any protocol that suports ports. Either tcp or udp. That ip-por pair can contact any other ip on any port.

(ip.src == XXX.XXX.XXX.XXX && (tcp.srcport == YYY || udp.srcport == YYY)) || (ip.dst == XXX.XXX.XXX.XXX && (tcp.dstport == YYY || udp.dstport == YYY) will match:

• all packets coming from IPv4 address XXX.XXX.XXX.XXX and TCP or UDP port YYY;
• all packets going to IPv4 address XXX.XXX.XXX.XXX and TCP or UDP port YYY;

which sounds as if it's what you want. (If it's not what you want, you'll have to be even more specific and precise about what you want.)

Answer 2

The IP protocol doesn't define something like a port. Two protocols on top of IP have ports TCP and UDP.

If you want to display only packets of a TCP connection sent from port 80 of one side and to port 80 of the other side you can use this display filter:

tcp.srcport==80 && tcp.dstport==80

Similar you can define a filter for a UDP communication. You can narrow the filter with addtional conditions like

ip.srcaddr==1.2.3.4

or

ip.addr==55.66.77.88

You can even use the C style operators && and || as well as parentheses to build complex filters.

(ip.addr==128.100.1.1 && tcp.port==80) || (ip.addr==10.1.2.1 && udp.port==68)

What you actually want to filter is your decision.

Answer 3

Try this filter:

(ip.src==10.0.0.1 and tcp.srcport==80) or (ip.dst==10.0.0.1 and tcp.dstport==80)

Since you've got two ports and two IPs in tcp/ip packets you need to specify exactly what source and destination sockets you want.