First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

display filter for ip & port combination

  • retag add tags

is there a way to filter by ip.addr & tcp.port (or udp.port) cobination?

you can use a convoluted ((ip.src==... && tcp.srcport==...) || (ip.dst==... && tcp.dstport==...)), but this gets out of hand once you also consider negation, as well as complex filters.

is there a way to use something like tcp.endpoint==8.8.8.8:443 or udp.endpoint.dst==8.8.8.8:53?

if not, then can I suggest this as a feature request? :)

nimrodg's avatar
1
nimrodg
asked 2022-07-19 09:37:56 +0000, updated 2022-07-21 08:22:48 +0000
edit flag offensive 0 remove flag close merge delete

Comments

fixed the title of the post that was mistakenly cut while posting

nimrodg's avatar nimrodg (2022-07-21 08:23:24 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

1

That's where display filter macros come into view.

Jaap's avatar
13.7k
Jaap
answered 2022-07-19 11:46:20 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Interesting! I somehow managed to miss macros until now... Will give it a try - Thanks! (I still think this should be a feature though :)

nimrodg's avatar nimrodg (2022-07-20 18:53:51 +0000) edit
more
  • delete
add a comment see more comments
0

There are filters for both ip address (ip.addr) and tcp port (tcp.port) that will filter both "directions" for the respective protocols, e.g.

ip.addr == 1.2.3.4 is equivalent to (ip.src == 1.2.3.4 || ip.dst == 1.2.3.4)

and

tcp.port == 12345 is equivalent to (tcp.srcport == 12345 || tcp.dstport == 12345)

Similarly there are udp.port and sctp.port fields, and probably many others I've never need to use.

grahamb's avatar
23.8k
grahamb
answered 2022-07-20 18:22:54 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks, but this doesn't answer my question. I need to filter on a combination of ip&port on the same end-point

nimrodg's avatar nimrodg (2022-07-20 18:51:30 +0000) edit
more
  • delete

ip.addr and tcp.port can be used in combination, e.g.

(ip.addr == 1.2.3.4) && (tcp.port == 12345)
grahamb's avatar grahamb (2022-07-20 20:24:39 +0000) edit
more
  • delete

Of course, but this will also catch packets where ip.src==1.2.3.4 && tcp.dstport==12345, which misses the point of my original post

nimrodg's avatar nimrodg (2022-07-21 03:36:23 +0000) edit
more
  • delete

You asked for something like tcp.endpoint == 8.8.8.8:53 which implies ip.src and ip.dst are equivalent and similarly for tcp.srcport and tcp.dstport, hence my answer.

grahamb's avatar grahamb (2022-07-21 07:54:24 +0000) edit
more
  • delete

You missed my point that the IP & port should be on the same end of the connection

nimrodg's avatar nimrodg (2022-07-21 08:20:37 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer