wildcard filter

Discussion:

wildcard filter

Marlon Duksa

2008-08-12 22:01:37 UTC

1) Is wild card filtering supported in wireshark?
I'd like to filter all source IP addresses from the 11.x.x.x range. Not sure
how to do this by applying a wildcard (*).

2) Range display filter seems not to be working:

(ip.src > 11.0.0.0) && (ip.src < 11.0.0.100)

All addresses bellow 11.x.x.x are displayed with this filter (including
10.x.x.x, 1.x.x.x, 2.x.x.x in my case) which should not be the case. I only
want ot display addresses in the specified range
Thanks,
Marlon

Guy Harris

2008-08-12 22:15:44 UTC

Permalink

Post by Marlon Duksa
I'd like to filter all source IP addresses from the 11.x.x.x range.
Not sure how to do this by applying a wildcard (*).

To quote the wireshark-filter(4) man page:

Classless InterDomain Routing (CIDR) notation can be used to
test if an
IPv4 address is in a certain subnet. For example, this
display filter
will find all packets in the 129.111 Class-B network:

ip.addr == 129.111.0.0/16

Remember, the number after the slash represents the number of
bits used
to represent the network. CIDR notation can also be used with
hostnames, as in this example of finding IP addresses on the
same Class
C network as 'sneezy':

ip.addr eq sneezy/24

The CIDR notation can only be used on IP addresses or
hostnames, not in
variable names. So, a display filter like "ip.src/24 ==
ip.dst/24" is
not valid (yet).

so try

ip.src == 11.0.0.0/8

Marlon Duksa

2008-08-12 22:28:48 UTC

Permalink

Thanks. That worked!
Marlon

Post by Guy Harris

Post by Marlon Duksa
I'd like to filter all source IP addresses from the 11.x.x.x range.
Not sure how to do this by applying a wildcard (*).

Classless InterDomain Routing (CIDR) notation can be used to
test if an
IPv4 address is in a certain subnet. For example, this
display filter
ip.addr == 129.111.0.0/16
Remember, the number after the slash represents the number of
bits used
to represent the network. CIDR notation can also be used with
hostnames, as in this example of finding IP addresses on the
same Class
ip.addr eq sneezy/24
The CIDR notation can only be used on IP addresses or
hostnames, not in
variable names. So, a display filter like "ip.src/24 ==
ip.dst/24" is
not valid (yet).
so try
ip.src == 11.0.0.0/8
_______________________________________________
Wireshark-users mailing list
https://wireshark.org/mailman/listinfo/wireshark-users

Continue reading on narkive:

Search results for 'wildcard filter' (Questions and Answers)

replies

Excel Countif function will not count using wildcard as a filter for number values.?

started 2011-09-17 16:36:38 UTC

software

replies

I have a site that requires an invitation code. it's php. is there anyway someone could enter a wildcard?

started 2007-10-13 13:06:48 UTC

programming & design

replies

I need a content filter that will let me block websites by keywords in the URL.?