Thanks! On the WAN or LAN interface ?
When I found the outgoing packet, it was from my external IP to Yahoo server. This is logic too to be in this way because of the NAT.
But for final is not good the version with "host 192.168.0.1", because the main purpose of all stuff is to implement a pattern or list based content-filtering system for instant messaging on the gateway, I have more than 1 pc in the internal network and i should apply the content-filtering only to a part of them, not for all. In this context I need a more selective filter.
Miszcsi
--- On Mon, 4/19/10, dan meyer <dan@xxxxxxxxxxxxxxxx> wrote:
From: dan meyer <dan@xxxxxxxxxxxxxxxx> Subject: Re: [Wireshark-users] help me please To:
"Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Date: Monday, April 19, 2010, 5:17 PM
I would use the capture filter string "host 192.168.0.1".
-- Dan Meyer On Mon, Apr 19, 2010 at 4:53 AM, Miszcsi Miszcsi <miszcsike@xxxxxxxxx> wrote:
Hello Everybody. Thanks Wes for help, it was very usefull, I got the right direction. The problem is that the host qualifier refers only as source to the IP adress and not as destination too. How can I make a capture filter for analysing both incoming and outgoing packets for a certain IP adress ? Using "and" and "src host"/"dst host" combinations can I build the filter ?
Have a nice day
Miszcsi
--- On Sat, 4/17/10, Wes <wes_r@xxxxxxxxx> wrote:
From: Wes <wes_r@xxxxxxxxx> Subject: Re: [Wireshark-users] help me please To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Saturday, April 17, 2010, 1:37 PM
One way to attack this is to verify the sniffer is actually capturing the packets in question by doing a capture without a capture filter. Then you should be able to build a display filter to see only the packets you want. From that, you should be able to create a capture filter to capture just those packets.
Wes
--- On Sat, 4/17/10, Pedro Tumusok <pedro.tumusok@xxxxxxxxx> wrote:
From: Pedro Tumusok <pedro.tumusok@xxxxxxxxx> Subject: Re: [Wireshark-users] help me please To: "Community support list for
Wireshark" <wireshark-users@xxxxxxxxxxxxx> Date: Saturday, April 17, 2010, 9:09 AM
Why do you need the to use the HOST address as a qualifier?
Would not tcp port 5050 be
enough? The reason is simple, because the internal host ip does not exist on the WAN (Internet) it means that this address is never in any packets that wireshark captures on the WAN interface. Have you tried to run the sniffer on the LAN interface?
Pedro On Sat, Apr 17, 2010 at 12:29 PM, Miszcsi Miszcsi <miszcsike@xxxxxxxxx> wrote:
Hi
How to figure out the combination ? For this I should visualize somehow the NAT table, but I dont know how to do this.
Thanks
Miszcsi
PS I still need help in this problem :( Everybody on weekend holiday or sleeping ? :D Still stucked with the project...
--- On Sat, 4/17/10, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
From: Jaap Keuter <jaap.keuter@xxxxxxxxx> Subject: Re: [Wireshark-users] help me please
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Date: Saturday, April 17, 2010, 8:28 AM
Hi,
It seems like the NAT function is interfering with your capture filter. Maybe you can figure out what
the exact address/port translation function is by looking at all WAN interface data.
Thanks, Jaap
Send from my iPhone
Hello!
Please somebody help me with my problem ! I'm new in this and I'm stucked with my project because of this problem and I cannot going further.
Any
concrete and real help would be appreciated.
I'm trying to monitor network traffic on windows gateway
with Wireshark, specially IM traffic, Yahoo Messenger. I have 2
fastethernet cards in the pc, one for WAN and one for LAN. If I'm
running the sniffer on an internal pc, i have both incoming and
outgoing packets from and to yahoo server or in case of peertopeer
messaging to and from remote discussion partner. If I'm running the
sniffer on the gateway using WAN interface for capture, I have only
incoming packets, and no outgoing. For filtering @capture I'm using the
option "tcp port 5050 and host X.X.X.X" where X.X.X.X is the IP adress of the internal pc.
(Wireshark - Capture Options - and I enter in the Capture Filter field this, after then Start) I
have one staticly assigned real IP on the WAN, and dhcp assigned
private IP's for internal pcs (192.168.0.X), they are assigned based on
each pc's MAC adress, so they are constant and not interchanging. I'm using source NAT on WAN interface.
What I'm doing wrong or why outgoing packets doesn't appear in Wireshark ?
There is an example in Wireshark User's Guide from where I was inspired :
Example 4.1. A capture filter for telnet that captures
traffic to and from a particular host tcp port 23 and host 10.0.0.5
Please somebody explain what is the solution or the problem what
makes that I see only incoming packets and nothing outgoing.
Best Regards Miszcsi
|
-----Inline Attachment Follows-----
|
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
-- Best regards / Mvh Jan Pedro Tumusok
I know you love me And you want to be Friends And if you dont at least you need to pretend
-----Inline Attachment Follows-----
|
-----Inline Attachment Follows-----
|
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
-----Inline Attachment Follows-----
|