I can't work out the correct syntax for excluding multiple ip addresses with tshark. I'm running tshark on a centos 6 server which is command line only. I can exclude a single ip address from the scoll by using: /usr/sbin/tshark -R "ip.addr!=176.31.239.201" <-- this command excludes 176.31.239.201 but I'd also like to exclude several other ip addresses but nothing works. asked 05 May '13, 06:49  neuronetv |
One Answer:
It's usually better to build a filter that includes the stuff you don't want, and then negate it with a "not ()", e.g. like this: "ip.addr==176.31.239.201" -> "not (ip.addr==176.31.239.201)" That way you can simply deduct a filter that includes everything you need, e.g. "ip.addr==176.31.239.201 or ip.addr==192.168.0.1 or ip.addr==10.10.10.10" -> "not (ip.addr==176.31.239.201 or ip.addr==192.168.0.1 or ip.addr==10.10.10.10)" The reason why your filters didn't work is probably caused by the fact that there are TWO IP addresses in each packet, and your "!=" filter will always match one of the two, so all packets are still shown. Use the "not" technique to get around that problem. answered 05 May '13, 06:52  Jasper ♦♦ edited 05 May '13, 06:54 |
