The filter will become something like: (tcp=18 or proto icmp or proto udp) and not (host 10.0.0.1 and udp port 53) and not (host 10.0.2.10 and tcp port 80) and not. Go back to step one, rinse and repeat :-).Add these interactions to the filter in a not clause.Analyze the traffic and and the top interactions to your list.As there are probably a few top conversations, removing those from the capture process might significantly reduce the capture sizes. Refer to the wireshark-filter man page for more information about the slice operator and Wireshark display filters in general.If you need to create an overview of connections and are not interested in the amount of the traffic, then you can iteratively remove traffic from the capture once you've added it to the list of interactions. For example, if the source address was 50.xxx.xxx.100 and the destination address was .152, then the packet would still match the filter, as the 1st byte of the source address would match as well as the last byte of the destination address. Unfortunately, this doesn't work reliably because it will actually match either the 1st byte of either the source or destination addresses as well as the 4th byte of either the source or destination IP addresses. Note that you might be tempted to use a simpler filter such as: ip.addr=32 & ip.addr=98 This filter also avoids any potential problems with whether name resolution is enabled or not, as ip.host isn't necessarily guaranteed to match "\.152$" if name resolution is enabled. The filter uses the slice operator to isolate the 1st and 4th bytes of the source and destination IP address fields.
Those values, 32 and 98 are hexadecimal values for 50 and 152, respectively.
0 kommentar(er)
