# Wireshark live capture filter ?



## jkhammer (Apr 22, 2010)

hi,

I'm trying to build live capture filter to capture only certain name queries from our DNS-server. Filter should pick queries that includes string "facebook".

I know how to make display filter, but live capture I can't do. Any help?


----------



## scottsee (Feb 28, 2007)

(ip.dst == ip.of.dns.server)&&(dns.qry.name == "www.facebook.com")

*EDIT-* That filter will display only ip packets sent to your dns server *and* have the dns query of www.facebook.com. You don't need the ip destination of your dns srever, but I added that only because you may be deploying more the one DNS server, and depending on where you are deploying wireshark on your network it will give you a more precise capture for a specific DNS server.


----------



## scottsee (Feb 28, 2007)

If you're running wireshark on your DNS machine, use only the *dns.qry.name == "www.facebook.com"*


----------



## jkhammer (Apr 22, 2010)

hi,

That is a filter for viewed packets from all captured packets, not for 'Capture Options' -type filter.
Problem is that I get so much data coming in that server, I wan't to capture as little as possible. Currently I'm using this filter:

udp port 53 and dst host [ip.address of DNS-server]

This filters only DNS packets destinated to my DNS server, but I would like to narrow captured packets even more .


----------



## scottsee (Feb 28, 2007)

Ohhhhh your right... I forgot that the capture option uses libpcap filter language.. According to the TCPdump man page, it dosen't seem like DNS query names are dirrectly supported..

If I were really serious about building a capture, I'd do a whois on the facebook domain and add each server ip to the capture list. That's if the string field for the capture box would even be long enough to include them all.. 

Daunting task. Good luck..


----------

