Wireshark-users: Re: [Wireshark-users] Capture filter help

From: Jack Jackson <jack@xxxxxxxxxxxxxxx>
Date: Thu, 10 Aug 2006 09:06:24 -0700

At 08:24 AM 8/10/2006, King, John \(Greg\) \(LMIT-HOU\) wrote:

For some reason this filter is not working like I expect it to

# Local Site
192.168.18.0/24 #servers
192.168.19.0/24 #workstation

# Remote Sites
Anything not in the local site

I am wanting to capture any traffic to and from local workstation as
long as the following requirements are met
1. the source is a local workstation and the destination is not a local
workstation or local server
2. the source is not a local workstation or local server and the
destination is a local workstation

My filter looks like this with commenting

/opt/bin/tethereal -s 65535 -i eth1 -n -w /path/test.cap -a
filesize:5000 -f

"ip and not broadcast and not multicast and
(
        #source is not a local server or workstation and destination not
a local server
        ( (src net not 192.168.19.0/24 or src net not 192.168.18.0/24)
and dst net not 192.168.18.0/24)
  or
        #source is a local workstation and destination is not a local
workstation or local server
        ( (src net 192.168.19.0/24 and (dst net not 192.168.19.0/24 or
192.168.18.0/24) ) )
)"

Use an example IP address and work through your filter. For example, src ip 1.1.1.1 and dest ip 1.1.1.2. This passes the first part of your filter because 1.1.1.1 is not in either of your local networks - (src net not 192.168.19.0/24 or src net not 192.168.18.0/24) passes any ip address that is not local.

I think you want (because your workstation and server subnets are contiguous you can use a netmask of 23 bits to cover both):

(src net 192.168.19.0/24 and dst net not 192.168.18.0/23) or

(src net not 192.168.18.0/23 and dst net 192.168.19.0/24)