Wireshark filter to only capture Incoming Packets?
Solution 1
you would want to only capture traffic that is destined for your host's IP:
dst host <your Ip>
Sorry, read that as display filter. the above has been corrected for CAPTURE filter syntax.
Solution 2
Your request to capture only incoming traffic leads to some ambiguity. The word incoming may has at least two different meanings in networking.
The first meaning packets received by a particular interface/device is relatively simple. The answer Jeff provides is what you want. You basically just need to filter for packets which have an IP or MAC address that matches your network interface.
There is another common usage of incoming in networking as it relates to statefull firewalls. This usually all activity traffic initiated by a remote system. If this is what you actually want. All connections initiated by a remote system, and all packets related to those connections, then I believe you are out of luck. The last time I looked PCAP had no stateful matching ability at all. So if that is what you are looking for, then I believe you are pretty much out of luck.
Solution 3
Because tcpdump filters are the capture filters, and can be passed through tshark or tcpdump as well to avoid running a GUI just for capture if you're reviewing later
[tcpdump] ether dst $YOUR_MAC_ADDRESS should cover most of what you want.
[tcpdump] ether src not $YOUR_MAC_ADDRESS would be broader. You may some DHCP stuff from your machine in there as well, but it ought not be very major.
Yes, you can save packets and inspect them in the future just as in live mode.
Solution 4
You can use a capture filter with a network address instead of your machine's single IP such as "dst net 10.0.0.0/21". This would capture any packets being sent to 10.0.0.1 through 10.0.7.254.
Alternatively, you can use tshark to post-filter a capture file using -r ORIGINAL_FILE -w NEW_FILE -Y "display filters". In the display filters you would use "ip.dst==10.0.0.0/21" to get the same data set as with the capture filter above.
Related videos on Youtube
12 : 13
10 : 38
07 : 42
16 : 36
02 : 26
Aidan Knight
Updated on September 18, 2022Comments
-
Aidan Knight over 1 year
I am trying to setup a Filter (so my log files aren't massive) that will capture only incoming traffic. I have looked on http://wiki.wireshark.org/CaptureFilters but so far have been unable to find a way to do this. Does anyone know how?
Just as a side question, when logging to multiple files in Wireshark, can you view full packet information at a later time?
-
Denys over 12 yearsSide answer: As long as you dump out full frames (which is the default) you can view full packets at a later time.
-
-
Zoredache over 12 yearsThis may be the right answer if he is defining incoming as 'received', and not like how you would define it on a stateful firewall.
-
Aidan Knight over 12 yearsThis sounds like it will be perfect. A lot of our machines are getting hit with a DDoS thanks to a program released that takes advantage of an exploit in some game servers (turns them into ddos zombies). Thanks!
-
Aidan Knight over 12 yearsActually one other question. I have tried both of these in the Capture Filter (GUI Application) and could get neither to work. I get an "unknown ether host" error when I use "ether dst 2F178581-F429-4AD8-AC39-CD8785651EDB"
-
Aidan Knight over 12 yearsThis would be perfect except our machines have large blocks of IP's assigned to them, and the traffic could be targetted at any of these.
-
loislo over 12 years@BrettPowell On windows, use the "phsysical address" field from
ipconfig /all -
Denys over 12 yearsYou can also get your MAC address within Wireshark via Capture→Interfaces→Details→802.3. (Or you could just run a capture with no filter and look for packets that are obviously to or from your machine...)
-
Pedro Perez about 9 yearsThere may be a way, at least for TCP connections: Find packets with SYN flag, without ACK flag, with the local machine's IP address as destination. Save those and then follow the TCP stream for each of them.
-
kasperd almost 9 yearsFiltering on MAC address will only produce correct results as long as nodes ont he network are well-behaved. It is possible for hosts to send packets with arbitrarily chosen source and destination MAC address. So another host could send a packet to you that your filter would see as outgoing rather than incoming. I wonder if there is a filter criteria which would actually look at which direction the packet was actually send through the network interface. Sounds like it shouldn't be hard to do, but I don't know of a Wireshark feature to do it. -
Arran Cudbard-Bell over 8 yearsThe PCAP docs say that only works for certain link layers, like Linux cooked
