This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Struggling to get correct answer….. IP Range

0

Hi, Think I have googled just about everything but cannot find he answer I am looking for.

I want Wireshark to monitor a range of ip address, ie: 192.168.2.10 - 192.168.2.30

Have tried all sorts of options with AND OR <> and dont seem to get anywhere. I am guessing its a simple one and I am just not seeing it.

Any help would be appreicated.

thanks

asked 10 Jul '16, 11:09

d95gas's gravatar image

d95gas
6334
accept rate: 0%

One Answer:

1

There is no direct way to define an ip range in a capture filter syntax. The maximum you can do is to use a combination of net and host expressions, like (net 192.168.2.8/29 and not host 192.168.2.8 and not host 192.168.2.9) or (net 192.168.2.16/28 and not host 192.168.2.31) for your particular case, to make the condition shorter than a plain list of host x.x.x.x expressions.

For a display filter, ip.addr >= 192.168.2.10 and ip.addr <= 192.168.2.30 does what you want, and for tshark with -w option, a display filter has the same effect on the output capture file like a capture filter (there are differences but in this case I think you can neglect them).

Depending on your use case, for Wireshark use, it might make sense to use a wider capture filter (like net 192.168.2.0/27) to reduce the amount of captured packets, then apply the display filter above to show only the ones you really wanted, and then use File -> Export Selected Packets -> Displayed to save only the shown ones to a new file.

answered 10 Jul '16, 12:38

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 10 Jul '16, 12:44