First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Query On Wireshark Filter with two protocol

I am new to wireshark and like to filter dns & ldap with source and destination IP. Below filters sooner i apply them to execute , Wireshark filter field turns into yellow with tangle mark.

dns or ldap and (ip.src==10.0.20.62)  
dns or ldap and (ip.dst==10.0.20.62)

When i try with individual filter , it works fine but i need to two times and its time consuming process as our cap file is more then 30 GB.

dns and (ip.src==10.0.20.62)  
ldap and (ip.src==10.0.20.62)

Is there are any way to combine both the protocols in one filter command against Ip.src or ip.dst to avoid running two times.

Kindly advice how to correct the filters as i am struggling from past days.

Thanks a lot in advice, Suvajit Basu

Suvajit Basu's avatar
1
Suvajit Basu
asked 2022-07-08 13:39:55 +0000
grahamb's avatar
23.8k
grahamb
updated 2022-07-08 14:58:03 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Wireshark filter field turns into yellow with tangle mark.

Wireshark is warning you that the filter may not work as you intended. This is due to an apparent ambiguity with respect to logical operator precedence between and and or, which unfortunately isn't well documented on the wireshark-filter man page.

In the old days, logical or took precedence over logical and, but that was changed beginning with the Wireshark 3.7.0 development release, soon to become Wireshark 4.0. In any case, it's probably best to use parentheses to avoid any such ambiguities (and to avoid the yellow display filter warning).

So, if you want a filter that matches either DNS or LDAP traffic, but only when both the IP source and destination addresses are 10.0.20.62, then you should be able to use a filter such as this:

(dns or ldap) and (ip.src==10.0.20.62 and ip.dst==10.0.20.62)

For the second set of filters you provided, they can be combined as follows:

(dns or ldap) and (ip.src==10.0.20.62)
cmaynard's avatar
11.1k
cmaynard
answered 2022-07-08 15:05:37 +0000
edit flag offensive 0 remove flag delete link
more

Comments

There is an ip.addr field that tests against both ip.src and ip.dst. Using this gives:

(dns or ldap) and (ip.addr == 10.0.20.62)

If the file is big, you might want to use the ip.addr filter on its own and then save just the displayed packets in a file purely for that address.

grahamb's avatar grahamb (2022-07-08 15:11:55 +0000) edit
more
  • delete

Wow ..Thank you cmaynard for your kind response & provided the solution.

I am running your filer now and did not got any yellow triangle warnings.

I will keep you updated shortly.

Thanks a lot once again.

Regards, Suvajit Basu

Suvajit Basu's avatar Suvajit Basu (2022-07-08 15:18:46 +0000) edit
more
  • delete

Ok I see . Thank you so much for your help. Let me try and update you.

Suvajit Basu's avatar Suvajit Basu (2022-07-08 15:23:33 +0000) edit
more
  • delete

Hmm, I'm not sure what happened to @grahamb's answer, but certainly if you're looking for packets with either the source or destination IP address set to 10.0.20.62, then you can use the filter @grahamb provided above, which is basically just a shorter and easier way of writing, (dns or ldap) and (ip.src == 10.0.20.62 or ip.dst == 10.0.20.62).

cmaynard's avatar cmaynard (2022-07-08 15:57:40 +0000) edit
more
  • delete

@cmaynard, I turned it into a comment to help the flow look a bit better.

grahamb's avatar grahamb (2022-07-08 16:14:36 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer