Common filters used with TCP dump tool
- Filter commonly used to troubleshoot VPN tunneling startup or session issues:
host 188.8.131.52 OR host 10.5.10.2
184.108.40.206 = client external IP address
host 10.5.10.2 = client virtual IP assigned by VPN tunneling
Tip: Have the user connect with VPN tunneling once before starting the capture to get the virtual IP address, then set this in the filter and have the user reconnect.
- Display Filter -- Filters which you use to tilter the captured TCP dump.
In IVE TCP dump filter field you have to use Capture Filters variable. You can use the ethereal capture filter syntax.
- If you want filter based on host IP address, the syntax will be host i.e. host 10.20.30.40 if 10.20.30.40 is host IP address
- If you want to capture HTTP traffic, the syntax will be tcp port 80. This filter will only capture HTTP traffic.
You can also use "AND" "OR" and "NOT" operators. Suppose you want to capture telnet traffic from host 10.20.30.40 then the syntax will be tcp port 23 AND host 10.20.30.40.
For more details you can refer to ethereal user guide at http://www.ethereal.com/docs/eug_html_chunked/
Note: in May of 2006, Wireshark network protocol analyzer became the successor to Ethereal