5

What I need to see is the TCP messages sent to a port for a given IP. So for example

127.0.0.1:11000

How can I see all the TCP messages being sent to that port?

This has to work with Windows, either Windows 2003 or XP

I have tried WireShark, but I don't know the proper filter.

The soluiton does not have to wireshark, but the solution must cost nothing.

David Basarab
  • 1,177

3 Answers3

3

The filter language for Wireshark is taken from tcpdump/pcap-filter. Please click on the link for a reference.

So, for example, to filter on all messages with destination 127.0.0.1:11000 you would use the following expression: tcp port 11000 and dest host 127.0.0.1.

PP.
  • 3,426
  • Note that there are two types of filters: capture filters, and display filters. I've provided the capture filter (which limits what packets are captured). @quadruplebucky has provided a display filter which you could apply after capturing all packets. – PP. Feb 26 '10 at 15:28
  • That filter should also work with windump, the windows version of tcpdump – charlesbridge Feb 26 '10 at 19:53
1

The wireshark expression is ip.addr == 127.0.0.1 and tcp.port == 11000

Also, you could use Microsoft Network Monitor 3.3, which might look a little more familiar. The display (or capture -- syntax is the same) filter for that would be: TCP.DstPort == 11000 and Ipv4.Address == 127.0.0.1

quadruplebucky
  • 5,189
  • 21
  • 23
1

Wireshark traffic filters are explained here : http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html

Basically in your case, you need

tcp port 11000 and host localhost
Dominik
  • 2,238