I would like to create a display filter for an with the last 2 octets of an IP address. In this case I want to filter for the IP address xxx.xxx.149.195 . What is the display filter expression using the offset and slice operators or a wildcard expression that I would need to use? asked 21 Jun '13, 14:06  mrproject |
3 Answers:
If you are looking for a Wireshark display filter that matches either the source or the destination address, then you can use: If you only want the source address: And if you only want the destination address: For more information on wireshark filters, refer to the wireshark-filter man page. Further links are provided there for more information on the "matches" operator, although one of them appears to be broken, so you can use this one instead: https://developer.gnome.org/glib/2.34/glib-regex-syntax.html. answered 21 Jun '13, 19:58  cmaynard ♦♦ |
Try this one: ip[14:2] eq 95c3 or ip[18:2] eq 95c3 answered 21 Jun '13, 14:35  mrEEde2 |
But the negative form of this does not work. For example, if I want to filter out all traffic from 149.195../16, none of the below work. Did mrproject not post his ip address correctly? Was he trying to filter out 149.195.. or ..149.195? ip.host !matches ".149.195$" !ip.host matches ".149.195$" ip.host !== ".149.195$" I thought I had found the answer here: http://wiki.wireshark.org/DisplayFilters !ip.host==192.168.0.0/16 but the above doesn't work, neither does ip.host != 192.168.0.0/16 Final edit: I got it working with !ip.addr == 192.168.0.0/24. I didn't realize that ip.host is deprecated. answered 02 Jan '15, 10:12  Justin Goldberg edited 02 Jan '15, 10:27 |
he was specifically filtering on the last two octets, so CIDR filters will not help. You need to use regex expressions.