Wireshark filter to only capture Incoming Packets?

logging windows-server-2008-r2 wireshark filter packet-capture

Solution 1:

you would want to only capture traffic that is destined for your host's IP: 

dst host <your Ip>

Sorry, read that as display filter. the above has been corrected for CAPTURE filter syntax.

Solution 2:

Your request to capture only incoming traffic leads to some ambiguity. The word incoming may has at least two different meanings in networking.

The first meaning packets received by a particular interface/device is relatively simple. The answer Jeff provides is what you want. You basically just need to filter for packets which have an IP or MAC address that matches your network interface.

There is another common usage of incoming in networking as it relates to statefull firewalls. This usually all activity traffic initiated by a remote system. If this is what you actually want. All connections initiated by a remote system, and all packets related to those connections, then I believe you are out of luck. The last time I looked PCAP had no stateful matching ability at all. So if that is what you are looking for, then I believe you are pretty much out of luck.

Solution 3:

Because tcpdump filters are the capture filters, and can be passed through tshark or tcpdump as well to avoid running a GUI just for capture if you're reviewing later

[tcpdump] ether dst $YOUR_MAC_ADDRESS should cover most of what you want.

[tcpdump] ether src not $YOUR_MAC_ADDRESS would be broader. You may some DHCP stuff from your machine in there as well, but it ought not be very major.

Yes, you can save packets and inspect them in the future just as in live mode.

Solution 4:

You can use a capture filter with a network address instead of your machine's single IP such as "dst net 10.0.0.0/21". This would capture any packets being sent to 10.0.0.1 through 10.0.7.254.

Alternatively, you can use tshark to post-filter a capture file using -r ORIGINAL_FILE -w NEW_FILE -Y "display filters". In the display filters you would use "ip.dst==10.0.0.0/21" to get the same data set as with the capture filter above.

Related

apache2: why <LimitExcept> parameter results “deny not allowed here” error in virtualhost tag?
Is there any way to detect when nginx has completed a graceful shutdown?
Should server spare parts be stored in climate controlled storage?
Kill process by command name
Penetration Testing - Trust and Hiring
Capture network traffic simultaneously on three interfaces
How can I remount an NFS volume on Red Hat Linux?
Windows: How do I add a program to the system's path environmental variable from the command line?
Ubuntu - Supervisord and virtualenv
Rolling update with puppet, ansible or fabric
how to delete single nginx cache file?
What is the best way to see objects attributes in Active Directory?