Discussion:
Display Filter for multiple IP's?
Richard Biever
2007-03-05 22:18:30 UTC
Permalink
Hello,

This may have been asked before, so apologies if it is a repeat. If I
want to filter OUT 1 IP from a Wireshark Capture, I can use the expression:

! ( ip.addr == 10.0.0.1)

However, I would like to filter out multiple IP's from the capture
file. I thought doing it like so would work:


! ( ip.addr == 10.0.0.1) or ! ( ip.addr == 10.0.0.2)

But this did not work the way I expected it to.

So, does anyone know how to filter out multiple IP's from a capture file
at one time?

Thanks for the help!
Luis Ontanon
2007-03-05 22:27:04 UTC
Permalink
! (ip.addr == 10.1.1.1 or ip.addr == 10.2.2.2 or ip.addr == 10.3.3.3 )
Post by Richard Biever
Hello,
This may have been asked before, so apologies if it is a repeat. If I
! ( ip.addr == 10.0.0.1)
However, I would like to filter out multiple IP's from the capture
! ( ip.addr == 10.0.0.1) or ! ( ip.addr == 10.0.0.2)
But this did not work the way I expected it to.
So, does anyone know how to filter out multiple IP's from a capture file
at one time?
Thanks for the help!
_______________________________________________
Wireshark-users mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-users
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
Richard Biever
2007-03-05 22:39:31 UTC
Permalink
Thank you! Worked like a champ!
Post by Luis Ontanon
! (ip.addr == 10.1.1.1 or ip.addr == 10.2.2.2 or ip.addr == 10.3.3.3 )
Post by Richard Biever
Hello,
This may have been asked before, so apologies if it is a repeat. If I
! ( ip.addr == 10.0.0.1)
However, I would like to filter out multiple IP's from the capture
! ( ip.addr == 10.0.0.1) or ! ( ip.addr == 10.0.0.2)
But this did not work the way I expected it to.
So, does anyone know how to filter out multiple IP's from a capture file
at one time?
Thanks for the help!
_______________________________________________
Wireshark-users mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-users
Luis Ontanon
2007-03-05 22:49:57 UTC
Permalink
Post by Richard Biever
Thank you! Worked like a champ!
It was a *logical* think for it to work. :-)
Post by Richard Biever
Post by Luis Ontanon
! (ip.addr == 10.1.1.1 or ip.addr == 10.2.2.2 or ip.addr == 10.3.3.3 )
Post by Richard Biever
Hello,
This may have been asked before, so apologies if it is a repeat. If I
! ( ip.addr == 10.0.0.1)
However, I would like to filter out multiple IP's from the capture
! ( ip.addr == 10.0.0.1) or ! ( ip.addr == 10.0.0.2)
But this did not work the way I expected it to.
So, does anyone know how to filter out multiple IP's from a capture file
at one time?
Thanks for the help!
_______________________________________________
Wireshark-users mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-users
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
Andrew Hood
2007-03-06 00:43:16 UTC
Permalink
Post by Luis Ontanon
! (ip.addr == 10.1.1.1 or ip.addr == 10.2.2.2 or ip.addr == 10.3.3.3 )
Which any worker in symbolic logic will tell you is the same as:

!(ip.addr == 10.1.1.1) and !(ip.addr == 10.2.2.2) and !(ip.addr ==
10.3.3.3 )

So the OP could have just swapped "or" for "and".
--
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who
Continue reading on narkive:
Loading...