How can I create a filter for wireshark to get the IP of an incoming connection?
Asked by
XOIIO (
18328
)
December 24th, 2010
I’m having trouble making a filter for wireshark. I need a simple one that I can change the website name and it will display the IP adress of any incoming connection. Can you help me?
I have a few websites that I want to find out where they are based, and test this out on video adds on some other websites.
Observing members:
0
Composing members:
0
3 Answers
I’m not sure exactly how to do this in Wireshark, because I generally would use netstat for this sort of thing. For things that are part of a website, you probably don’t need any software other than your browser. Browsers can generally give you the URL of any given element on a page. Given that you can just do a WHOIS query (this is something that many websites can do for you, just google ‘whois query’) to find out who owns the domain and what their nameservers are. Then you can use DiG (similar but superior to nslookup) to query the nameservers to get the specific IP address of the servers you are looking for.
I used wireshark for a while but I never became expert with it, because it does little afaik that ntop and netstat combined don’t do- and I’m already used to those.
Would netstat work better for what I need to be done?
I’m still not sure exactly what you are trying to accomplish, but netstat can certainly show the IP address of any incoming connection (by default netstat prints all connections, incoming and outgoing; the -n option causes it to print IP addresses instead of names.)
Netstat is an extremely powerful and sophisticated program, and I strongly recommend
reading the manual before use.
Here’s sample output of netstat -nut (show Numeric addresses, show Udp connections, show Tcp connections):
netstat -nut
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 1 0 127.0.0.1:56461 127.0.0.1:51303 CLOSE_WAIT
tcp 0 0 127.0.0.1:51303 127.0.0.1:44095 TIME_WAIT
tcp 0 0 127.0.0.1:52893 127.0.0.1:42758 ESTABLISHED
tcp 1 0 127.0.0.1:48620 127.0.0.1:51303 CLOSE_WAIT
tcp 1 0 127.0.0.1:57403 127.0.0.1:51303 CLOSE_WAIT
tcp 1 0 127.0.0.1:46852 127.0.0.1:51303 CLOSE_WAIT
tcp 0 0 10.0.0.4:42249 209.251.184.237:6667 ESTABLISHED
tcp 1 0 127.0.0.1:33355 127.0.0.1:51303 CLOSE_WAIT
tcp 0 0 127.0.0.1:44103 127.0.0.1:51303 ESTABLISHED
tcp 0 0 127.0.0.1:51303 127.0.0.1:44103 ESTABLISHED
tcp 0 0 10.0.0.4:44288 96.17.8.24:80 ESTABLISHED
Answer this question 
This question is in the General Section. Responses must be helpful and on-topic.
Composing members:
0
