Home / server / Questions / 348124
Accepted
Aidan Knight
Asked: 2012-01-10 08:16:41 +0800 CST

Wireshark filter to only capture Incoming Packets?

  • 772

I am trying to setup a Filter (so my log files aren't massive) that will capture only incoming traffic. I have looked on http://wiki.wireshark.org/CaptureFilters but so far have been unable to find a way to do this. Does anyone know how?

Just as a side question, when logging to multiple files in Wireshark, can you view full packet information at a later time?

logging wireshark windows-server-2008-r2 filter packet-capture

5 Answers

  1. Best Answer

    you would want to only capture traffic that is destined for your host's IP: 

    dst host <your Ip>

    Sorry, read that as display filter. the above has been corrected for CAPTURE filter syntax.

    • 7

  2. Your request to capture only incoming traffic leads to some ambiguity. The word incoming may has at least two different meanings in networking.

    The first meaning packets received by a particular interface/device is relatively simple. The answer Jeff provides is what you want. You basically just need to filter for packets which have an IP or MAC address that matches your network interface.

    There is another common usage of incoming in networking as it relates to statefull firewalls. This usually all activity traffic initiated by a remote system. If this is what you actually want. All connections initiated by a remote system, and all packets related to those connections, then I believe you are out of luck. The last time I looked PCAP had no stateful matching ability at all. So if that is what you are looking for, then I believe you are pretty much out of luck.

    • 5

  3. Because tcpdump filters are the capture filters, and can be passed through tshark or tcpdump as well to avoid running a GUI just for capture if you're reviewing later

    [tcpdump] ether dst $YOUR_MAC_ADDRESS should cover most of what you want.

    [tcpdump] ether src not $YOUR_MAC_ADDRESS would be broader. You may some DHCP stuff from your machine in there as well, but it ought not be very major.

    Yes, you can save packets and inspect them in the future just as in live mode.

    • 4

  4. You can use a capture filter with a network address instead of your machine's single IP such as "dst net 10.0.0.0/21". This would capture any packets being sent to 10.0.0.1 through 10.0.7.254.

    Alternatively, you can use tshark to post-filter a capture file using -r ORIGINAL_FILE -w NEW_FILE -Y "display filters". In the display filters you would use "ip.dst==10.0.0.0/21" to get the same data set as with the capture filter above.

    • 1

  5. Please stop this madness. It's very impractical to list the local host's mac/IP address every time you need this feature (not to mention the cases where these details can change while running the dump), and the pcap library has this facility already. You just have to use 'inbound' in the filter, and you'll only see the received packets on the interface, simple as that.

    • -1