This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

New to WireShark - how to filter by partial destination ip?

0

New to wireshark. I want to use the tool to figure out what traffic is being sent over the internet. I already know what protocol i am looking for. So i want to create a filter for IP destination outside my LAN and protocol==TCP. How would i accomplish this?

Thanks in advance,

Bob

asked 06 Mar '15, 09:22

blentz's gravatar image

blentz
6112
accept rate: 0%

One Answer:

2

Display filter "tcp && !ip.dst==192.168.1.0/24" where 192.168.1.0/24 is your LAN subnet. Substitute your actual LAN address range.

answered 06 Mar '15, 09:47

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

sorry but i don't understand the 0/24 - what is that? My lan subnet is 192.168.1.0-254

(09 Mar '15, 08:18) blentz

An IPv4 address is 32 bits (four bytes). The "/24" means we only care about the first 24 bits (the first three bytes). So "192.168.1.0/24" means any address that has 192.168.1 as the first three bytes. We don't care what the fourth byte is. So 192.168.1.0/24 is equivalent to 192.168.1.0-254.

(09 Mar '15, 09:46) Jim Aragon