You should escape it like this \!ssh or simply use the not logical operator which is supported by both capture and display filters. You can use both capture filters and display filters with tshark but they are different command line switch options:Ĭapture filter example: tshark -f "not port 22"ĭisplay filter example: tshark -R "not ssh"Īnother thing is that you used !ssh while exclamation mark on some popular unix shells (like bash) has special meaning and is interpreted by shell before it's passed to the application you're about to execute. To filter everything except the SSH traffic on the capture level you have to filter port 22 traffic ie with "not port 22" capture filter. It's higher level analysis performed by dissectors. Wireshark does not "know" yet what protocol it is for each packet when it performs capture filtering. The reason you cant use "not ssh" capture filter is that capture filters work on lower level than display filters. It's one of the most important and most often used wireshark features. I highly recommend playing around with the "expressions" window next to it. What you type in the Wireshark GUI toolbar is the display filter. You can use most of the packet fields recognised by the dissectors with various operators - comparing strings, checking values and so on. They limit only what you see at the moment in the wireshark interface (or tshark output to the console) - are much more advanced and use a different syntax. Here's the documentation for capture filter syntax Display filters** is another storyĭisplay filters are different from capture filters. If your network is not very crowded it’s usually better idea to capture and save everything and then use display filters to analyse only the subset that is interesting. Please take a note that when you use a capture filter, the packets that are not matching will not be saved to the capture file. Tips and tricks When filtering for web traffic be sure to check out the article Using Chrome Devtools with Wireshark, as it will make it really easy to know what port is being used by the computer to communicate. You can filter by IP addresses, IP address range, port numbers, protocol and so on. The filter tcp.port 80 and ip.addr 17.253.17.210 is going to find everything on TCP port 80 going to the IP of 17.253.17.210. By defining capture filter you can tell Wireshark to capture only some subset of network traffic. This is where capture filters come handy. On a very crowded network capturing every packet could produce gigabytes of data in just few seconds and most probably a lot of it is not interesting to you at all. Like said in his answer and as I explain in details in my wireshark tutorial for beginners - there is a difference between display filters and capture filters.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |