This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter expressions

0

I have a home network which I am monitoring using wireshark and I need some help with a modified capture filter expression. I am trying to filter out traffic between any of my LOCAL devices and each other. This is particularly relevant to me because I have a number of IP cameras that generate a lot of traffic when I connect to them from any of my local PCs. The intention is to only capture traffic to/from the public Internet and my devices.

Static addresses... - 192.168.1.43 = router - 192.168.1.61 = pc1, wired - 192.168.1.62 = pc2, wired - 192.168.1.72 = pc2, wireless - 192.168.1.63 = pc3, wired - 192.168.1.73 = pc3, wireless - 192.168.1.101 = IP camera #1 - 192.168.1.102 = IP camera #2 - 192.168.1.103 = IP camera #3 - 192.168.1.104 = IP camera #4 - 192.168.1.105 = IP camera #5

Original long-winded capture filter used by wireshark when started on the command line (.bat file). I have separated the components for clarity...

+++++++++++++++ start of filter +++++++++++++++

(not broadcast and not multicast)

and (not (src host 192.168.1.61 and dst host 192.168.1.43)) and (not (src host 192.168.1.62 and dst host 192.168.1.43)) and (not (src host 192.168.1.63 and dst host 192.168.1.43)) and (not (src host 192.168.1.72 and dst host 192.168.1.43)) and (not (src host 192.168.1.73 and dst host 192.168.1.43))

and (not (src host 192.168.1.61 and dst host 192.168.1.101)) and (not (src host 192.168.1.61 and dst host 192.168.1.102)) and (not (src host 192.168.1.61 and dst host 192.168.1.103)) and (not (src host 192.168.1.61 and dst host 192.168.1.104)) and (not (src host 192.168.1.61 and dst host 192.168.1.105))

and (not (src host 192.168.1.62 and dst host 192.168.1.101)) and (not (src host 192.168.1.62 and dst host 192.168.1.102)) and (not (src host 192.168.1.62 and dst host 192.168.1.103)) and (not (src host 192.168.1.62 and dst host 192.168.1.104)) and (not (src host 192.168.1.62 and dst host 192.168.1.105))

and (not (src host 192.168.1.63 and dst host 192.168.1.101)) and (not (src host 192.168.1.63 and dst host 192.168.1.102)) and (not (src host 192.168.1.63 and dst host 192.168.1.103)) and (not (src host 192.168.1.63 and dst host 192.168.1.104)) and (not (src host 192.168.1.63 and dst host 192.168.1.105))

+++++++++++++++ end of filter +++++++++++++++

When the above filter, which works, is declared on a single line it is over 1200 characters in length, which I find a little excessive! I want to simplify the filter using IP address RANGES.

According to examples provided at http://wiki.wireshark.org/CaptureFilters...

  • Capture traffic to or from a range of IP addresses: net 192.168.0.0/24 (or net 192.168.0.0 mask 255.255.255.0)

  • Capture traffic from a range of IP addresses: src net 192.168.0.0/24 (or src net 192.168.0.0 mask 255.255.255.0)

  • Capture traffic to a range of IP addresses: dst net 192.168.0.0/24 (or dst net 192.168.0.0 mask 255.255.255.0)

[Group 1] So based on the above I tried using... (not broadcast and not multicast)

and (not (src net 192.168.1.0/32 and dst host 192.168.1.43))

and (not (src net 192.168.1.0/32 and dst net 192.168.1.0/32))

NB. I used "/32" rather than "/24" because I read somewhere that there are only 32 bits in an IPv4 address, although I might be confusing the meaning here.

I have also tried...

[Group 2] based on "dotted-quad" filter expressions shown at http://www.tcpdump.org/manpages/pcap-filter.7.html...

(not broadcast and not multicast)

and (not ((src net 192.168.1.0 mask 255.255.255.0) and dst host 192.168.1.43))

and (not ((src net 192.168.1.0 mask 255.255.255.0) and (dst net 192.168.1.0 mask 255.255.255.0)))

and also...

[Group 3] based on "dotted-triple" filter expressions shown at http://www.tcpdump.org/manpages/pcap-filter.7.html...

(not broadcast and not multicast)

and (not ((src net 192.168.1 mask 255.255.255.0) and dst host 192.168.1.43))

and (not ((src net 192.168.1 mask 255.255.255.0) and (dst net 192.168.1 mask 255.255.255.0)))

All of these last 3 filters are valid as far as Wireshark is concerned, i.e. no errors reported. My question is - are these last 3 [groups] of filter expressions equivalent to the original lengthy filter? (I have read up on IP addresses and subnet masks, but am I still confused so need help please)

asked 17 Jun '14, 09:03

gargoil666uk's gravatar image

gargoil666uk
26226
accept rate: 0%

edited 17 Jun '14, 09:05


One Answer:

1

how about this:

'not (src net 192.168.1.0/24 and dst net 192.168.1.0/24)'

which means: Every packet where (source and destination address) of a packet are not in the network 192.168.1.0/24.

Regards
Kurt

answered 17 Jun '14, 12:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 Jun '14, 12:34

Thanks Kurt, that did the trick. It was so obvious, but I had spent too much time staring at my variations that I couldn't see the wood for the trees.

(18 Jun '14, 04:08) gargoil666uk

Good!

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(18 Jun '14, 04:35) Kurt Knochner ♦