Wireshark-users: [Wireshark-users] ip.addr==192.168.0.0/16

From: Tony Barratt <tbarratt@xxxxxxxxxxx>
Date: Mon, 10 Aug 2009 13:58:05 +0100

Hello Wes,

Actually that was a very useful hint.

Because all the traps come from the same place, via a trap forwarder I can apply snmp.agent_addr ==192.168.0.0/16 or similar which means I can use a couple of subnets and a few IPs and I have a display filter to suit.

Thanks!

I capture all the traps via tcpdump on a remote box (wiresshark install not possible) and UDP port 162 and now I can filter out all the traps I am interested in after loading the pcap file into wireshark. On a related matter if i want to just capture events that meet a filter like snmp.agent_addr ==192.168.0.0/16 what options do I have?

TIA

Tony

Date: Fri, 7 Aug 2009 06:06:51 -0700 (PDT)
From: Wes <wes_r@xxxxxxxxx>
Subject: Re: [Wireshark-users] How do I change the default capture
	filter
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <919569.1830.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=iso-8859-1

You might be able to use masks to help narrow it down. For example:

ip.addr==192.168.0.0/16

Wes

--- On Fri, 8/7/09, Tony Barratt <tbarratt@xxxxxxxxxxx> wrote:

From: Tony Barratt <tbarratt@xxxxxxxxxxx>
Subject: Re: [Wireshark-users] How do I change the default capture filter
To: wireshark-users@xxxxxxxxxxxxx
Date: Friday, August 7, 2009, 3:28 AM
Interesting!
I would like to display filter on 200 known IPs, which if

not practical in the GUI.

Could I put the filter into one of the dfiles found in the
filders tab?
Or is there perhaps a better way?