This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter - how to NOT capture ip range?

Example of my filter: "not broadcast and not multicast and not src net 192.168.1.0/24"

and don't want to capture data from IP range: 146.170.1.1 - 146.170.255.255 and 226.111.1.1 - 226.111.255.255

filter capture

asked 27 Apr '16, 04:14

myszoor
5●1●1●3
accept rate: 0%

edited 27 Apr '16, 04:16

3 Answers:

If you want to exclude subnet ranges completely you'll need to explicitly exclude both source and destination IP ranges, e.g.:

not (ip.src==146.170.0.0/16 or ip.dst==146.170.0.0/16) and not (ip.src==226.111.0.0/16 or ip.dst==226.111.0.0/16)

answered 27 Apr '16, 04:29

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

@Jasper,

the OP asks for a capture filter so the syntax is not the correct one; in capture filter, not net 146.170.0.0/16 would cover both src and dst but he's asked for src only (data from IP range)
the OP has specially asked for a range so 146.170.0.0/16 won't do as 146.170.0.0/24, 146.170.1.0/32 and 146.170.1.1/32 should be let through unless he's made a mistake.

(27 Apr '16, 04:39) sindy

right... my bad about the capture filter syntax, I read the question too fast I guess. :-)

The question wording is a bit unspecific - he gives an example with broadcast and multicast and a src range and say "AND don't want to..." which lead me to assume that he want's to expand the example. I assumed also that the ranges should not appear at all, so a src filter only wouldn't do.

And yes, I assumed the full range was in question as it makes almost no sense at all to leave two /32 in there, especially the .0.0 which is the net address and should never been seen anyway for that range.

(27 Apr '16, 04:54) Jasper ♦♦

The simple answer would be not net 146.170.0.0/16 and not net 226.111.0.0/16 but that would also exclude the ranges 146.170.0.0 - 146.170.0.255 and 226.111.0.0 - 226.111.0.255.

If you do want to see traffic in the x.x.0.0/24 subnets, then you'll have to "or" in those networks, e.g. ... or net 142.170.0.0/24 or net 226.111.0.0/24

answered 27 Apr '16, 04:43

grahamb ♦
19.8k●3●30●206
accept rate: 22%

This

The simple answer would be not net 146.170.0.0/16 and not net 226.111.0.0/16 but that would also exclude the ranges 146.170.0.0 - 146.170.0.255 and 226.111.0.0 - 226.111.0.255.

works fine - thanks :)

Have one more question - how add to this filter: "not broadcast and not multicast and not src net 192.168.1.0/24" exception "192.168.1.111".

Overall idea is: want ignore all local network traffic with exception of traffic beetwen IP "192.168.1.111" (on 192.168.1.111 is working WS) and Internet. In Internet traffic want ignore IP from range 146.170.0.0/16 and 226.111.0.0/16 (beacuse hosts from this IP ranges are trusted for me).

(27 Apr '16, 05:34) myszoor

not broadcast and not multicast and (not src net 192.168.1.0/24 or src host 192.168.1.111)

(27 Apr '16, 05:36) sindy

Hi all, is it correct the below filter for his aim in your opinion ?

(not broadcast and not multicast and not ip src net 192.168.1.0/24) or (not ip net 146.170.0.0/16 or not ip net 226.111.0.0/16)

Have a nice day

answered 27 Apr '16, 05:16

ValerioItaly
5●3●3●4
accept rate: 0%

It is not correct at least because not ip net 146.170.0.0/16 is true also for e.g. broadcast packets, and not broadcast is true for any non-broadcast packet including one from/to 146.170.0.0/16, so (simplified for illustration) not broadcast or not ip net 146.170.0.0/16 would cause both broadcast packets and packets to/from 146.170.0.0/16 to be captured. For similar reason, not net X or not net Y would let through everything (unless networks X and Y overlap in some way).

@grahamb's answer is the closest one so far. Let's wait for OP's update and eventually adjust that one accordingly. But basically ((not src net 146.170.0.0/16) or src net 146.170.0.0/24) is a way to exclude packets whose src ip is in range 146.170.1.0 to 146.170.255.255 from the capture.

(27 Apr '16, 05:34) sindy