Hello All, I am new to Wireshark and actually to packet capture altogether. So far I have successfully done a packet capture on my computer's NIC and now I want to find out if a particular IP address or part of an IP address is present. I have tried to go through the help file that comes with Wireshark but I am not sure how to go about setting a filter or whatever to look for the particular IP address. Example, I want to see if any packets were sent to or received from 68.77.. how would I set that up? Thank You So Much, Val asked 22 Dec '10, 16:31  Valek Hawke |
One Answer:
In display filter format ip.addr -- this will look at source and destination address for a match we can use slash notation, so in your example 68.77.0.0/16 So the following display filter should work for you. ip.addr==68.77.0.0/16 If we were doing this with a capture filter-- ip net 68.77.0.0/16 answered 22 Dec '10, 16:38  Paul Stewart |
Paul, thank you so much, so in your example the zeroes will act as wildcards? Is that correct? And is the subnet mask switch necessary?
Edit: I figured it out. I had actually typed the IP Address wrong when I put it in the filter field. Once I corrected it I found what I was looking for.
Again, Thank You
The 0's will act as a wildcard in conjunction with the /xx notation. Think of the /xx as the subnet mask. So if you understand subnet masks, the /xx, the xx represents the number of 1's in binary.
255.0.0.0=/8 (binary - 1111 1111 . 0000 0000 . 0000 0000 . 0000 0000)
255.255.0.0=/16 (binary - 1111 1111 . 1111 1111 . 0000 0000 . 0000 0000)
255.255.255.0=/24 (binary - 1111 1111 . 1111 1111 . 1111 1111 . 0000 0000)
255.255.255.128=/25 (binary - 1111 1111 . 1111 1111 . 1111 1111 . 1000 0000)