How can I capture telegrams of only one station with Wireshark?
FAQ #100224
The free ethernet analyzer Wireshark do offer a capture filter that allows capturing telegrams on an IP network based on the source- and destination station or the TCP- or UDP port.
Capture filters
Capture Filters are used to filter out uninteresting packets already at capture time. This is done to reduce the size of the resulting capture (file) and is especially useful on high traffic networks or for long term capturing.
Wireshark as well as Ethereal do use the pcap filter language for capture filters. This language is explained in the tcpdump man page (www.tcpdump.org).
Procedure
For configuing a capture filter open the "Capture Options" window from the menu "Capture" --> "Options". In this window a capture filter can be set:
§ix100351§
This filter will be applied for the next capture.
Filter expressions
- Filtering telegrams coming from or going to a specific IP address (traffic from both, TCP/IP and UDP/IP will be captured).
host 172.18.102.55 - Filter expression for capturing only Ether-S-Bus telegrams:
udp port 5050
Combining filter expressions
It is also possible combining several expresions. One often used expresion could be:
<font style="BACKGROUND-COLOR: #ffffff">host 172.18.102.55 and udp port 5050
</font>
Storing capture filters
In Wireshark open the menu point "Edit" --> "Capture filters", and enter there a name which you want and for the Filter string. After that, edit your filter:
§ix100358§<font style="BACKGROUND-COLOR: #ffffff">
</font>
Note
It is also possible to filter the telegrams of an already captured file. In this case the "display filter" is to be used (refer to FAQ 100535). The display filter syntax is not identical to the capture filter syntax. The equivalent example of the mentioned "host 192.168.12.89" for the display filter is "<font style="BACKGROUND-COLOR: #ffffff">ip.addr == 192.168.12.89</font>"
Also this option can be useful for viewing only the telegrams that belong to the device to be debugged, it is possible that the troubles of a station are caused by telegrams that are not directed to the station in questions (e.g. Broadcasts). Therefore it makes sense also having a look at the rest of the traffic on the network.
Categories
FBox Builder / IT
Communication / Ether-S-Bus
Last update: 24.05.2018 08:21
First release: 20.09.2004 13:00
Views: 27573