This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter out wildcard domain names

0

I would like to create a display filter that will remove all sub-domains within a known domain. for example. I want to exclude all *.dropbox.com traffic like www.dropbox.com and snt-re4-8d.sjc.dropbox.com along with snt-re3-4b.sjc.dropbox.com and snt-re3-7b.sjc.dropbox.com, etc with one command not 4+.

So far !(ip.host == www.dropbox.com) works but *.dropbox.com produces an isnt a valid syntax filter error.

Thanks

asked 07 Nov '14, 15:26

fa2lerror's gravatar image

fa2lerror
11112
accept rate: 0%

3 Answers:

1

I just tries !ip.host contains "dropbox.com" and it sieems to achieve what you want.

alt text

Regards Matthias

answered 07 Nov '14, 23:09

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

0

There's no way to do that. Wireshark doesn't have any code to get all the DNS records for a wildcard domain name and do a filter that compares an IP address field with all IP addresses in the records that match that domain name.

answered 07 Nov '14, 18:59

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

Actually it’s a record in DNS zone that matches the request for nonexistent domain name. If you are having a personal domain along with email configured in it, can filter out the wildcards. However the process is multilevel and quite complex. For convenience you can see slipstick.com/outlook/rules/create-a-rule-with-wildcards/. The source describes all wildcard rules, hence I hope it will be helpful for you.

answered 26 Feb '15, 02:29

karltucker's gravatar image

karltucker
61
accept rate: 0%