Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] Capture Filter Help

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 06 Feb 2008 11:12:49 -0800

James Pifer wrote:


I'm trying setup a capture filter to capture only data where the ip
address contains a certain part of an ip address. We have a lot of
servers on a distributed network that have standard addresses. 
For example, I'd like to capture data on port 137 if the ip address is
like 192.xxx.xxx.11 where xxx can be anything. 
Can this be done in a capture filter?


Not conveniently, but it can be done:
(((ip[12:4] & 0xFF0000FF) = 0xC000000B) || ((ip[16:4] & 0xFF0000FF) = 0xC000000B)) && port 137
(which extracts the IP source address, ANDs it with 0xFF0000FF, compares it with 192.0.0.11, does the same with the IP destination address, matches if either are true, and then ANDs that with a match on port 137).
  • References:
    • [Wireshark-users] Capture Filter Help
      • From: James Pifer
  • Prev by Date: Re: [Wireshark-users] Capture Filter Help
  • Next by Date: Re: [Wireshark-users] Counting packets with a matching payload
  • Previous by thread: Re: [Wireshark-users] Capture Filter Help
  • Next by thread: [Wireshark-users] test case in configure script fails for gtk on Solaris with gcc
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation