This is our old Q&A Site. Please post any new questions and answers at


Is it possible to use a plaintext file with ip-ranges (CIDR-Notation) in it to exclude specific ip-ranges from the capturing process? If so, how can i do that?

Thanks in advance


asked 28 Apr '12, 07:49

LA_FORGE's gravatar image

accept rate: 0%

at least on unix you can do it this way:

[email protected]:/var/tmp# cat excluded-networks

Then run this command:

[email protected]:/var/tmp# tshark -n host and `perl -pe 'BEGIN {print " ( ip"}; END {print ") "}; $_ =~ s/n//; $_ = " and not net $_ "' < /var/tmp/excluded-networks`

Replace the first part of the filter - here 'host' with whatever you like.

WARNING: If the number of networks gets large (more than 10!), this does NOT scale, as the resulting capture filter will be ways to complex for fast networks!!


permanent link

answered 30 Apr '12, 14:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 30 Apr '12, 14:26

Thank you very much!!

(01 May '12, 08:36) LA_FORGE

@LA_FORGE I've converted your "answer" into a comment. Please see the FAQ to see how this Q&A site works.

(01 May '12, 09:45) multipleinte...

I'm glad that I was able to help...

(01 May '12, 11:53) Kurt Knochner ♦

@Kurt how many ranges are possible on slow networks? The CPU power shouldn't be the problem, i've a 80.000 MIPS machine here

(01 May '12, 14:00) LA_FORGE

Well, that's really hard to say. It depends on so many parameters. Just out of thin air, I would say around 20-30 (NOT tested!).

Besides the CPU, the max length of the CLI parameters (of the shell) could be a problem too. Maybe there is a limit in tshark regading the length off a capture filter (check the code).

BTW: What are you looking for? Maybe there is a better way to achieve that goal.

(01 May '12, 14:38) Kurt Knochner ♦

I want to exclude many ranges (blacklist) from the capturing process. Since the age of 18 i've been blind and i'm depending on a screenreader software to use the computer. But i don't want to refrain of wireshark/tshark, only the flood of information is the problem for me.

(02 May '12, 13:05) LA_FORGE
showing 5 of 6 show 1 more comments

Not directly.

You could however, do some scripting to specify as a command line arg a capture filter (or display filter) to wireshark or tshark or a capture filter to dumpcap.

See the wireshark/tshark/dumpcap help and man pages.

Feel free to submit an enhancement request (or patch implementing the feature) at

permanent link

answered 30 Apr '12, 10:50

Bill%20Meier's gravatar image

Bill Meier ♦♦
accept rate: 17%

edited 30 Apr '12, 10:52

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 28 Apr '12, 07:49

question was seen: 4,879 times

last updated: 02 May '12, 13:14

p​o​w​e​r​e​d by O​S​Q​A