Wireshark-users: Re: [Wireshark-users] ip.addr==192.168.0.0/16
From: Wes <wes_r@xxxxxxxxx>
Date: Mon, 10 Aug 2009 09:44:37 -0700 (PDT)
Glad that helped. You should be able to use the same mask technique in this field as well. At least it seems to work fine for me in a quick test. I used: snmp.agent_addr == 192.168.0.0/16 and it shows traps from two different /24 networks as expected. Wes --- On Mon, 8/10/09, Tony Barratt <tbarratt@xxxxxxxxxxx> wrote: > From: Tony Barratt <tbarratt@xxxxxxxxxxx> > Subject: [Wireshark-users] ip.addr==192.168.0.0/16 > To: wireshark-users@xxxxxxxxxxxxx > Date: Monday, August 10, 2009, 8:58 AM > Hello Wes, > > Actually that was a very useful hint. > Because all the traps come from the same place, via a trap > forwarder I > can apply > snmp.agent_addr ==192.168.0.0/16 or similar which > means I can use a > couple of subnets and a few IPs and I have a display filter > to suit. > Thanks! > > I capture all the traps via tcpdump on a remote box > (wiresshark install > not possible) and UDP port 162 and now I can filter out all > the traps I > am interested in after loading the pcap file into > wireshark. > On a related matter if i want to just capture events that > meet a filter > like snmp.agent_addr ==192.168.0.0/16 what > options do I have? > > TIA > > Tony > > Date: Fri, 7 Aug 2009 06:06:51 -0700 (PDT) > > From: Wes <wes_r@xxxxxxxxx> > > Subject: Re: [Wireshark-users] How do I change the > default capture > > filter > > To: Community support list for Wireshark > > <wireshark-users@xxxxxxxxxxxxx> > > Message-ID: <919569.1830.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx> > > Content-Type: text/plain; charset=iso-8859-1 > > > > You might be able to use masks to help narrow it down. > For example: > > > > ip.addr==192.168.0.0/16 > > > > Wes > > > > --- On Fri, 8/7/09, Tony Barratt <tbarratt@xxxxxxxxxxx> > wrote: > > > > > >> From: Tony Barratt <tbarratt@xxxxxxxxxxx> > >> Subject: Re: [Wireshark-users] How do I change the > default capture filter > >> To: wireshark-users@xxxxxxxxxxxxx > >> Date: Friday, August 7, 2009, 3:28 AM > >> Interesting! > >> I would like to display filter on 200 known IPs, > which if > >> not practical > >> in the GUI. > >> Could I put the filter into one of the dfiles > found in the > >> filders tab? > >> Or is there perhaps a better way? > >> > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >
- References:
- [Wireshark-users] ip.addr==192.168.0.0/16
- From: Tony Barratt
- [Wireshark-users] ip.addr==192.168.0.0/16
- Prev by Date: Re: [Wireshark-users] Cisco FWSM Capture Dump
- Next by Date: Re: [Wireshark-users] Cisco FWSM Capture Dump
- Previous by thread: [Wireshark-users] ip.addr==192.168.0.0/16
- Next by thread: [Wireshark-users] tshark "illegal seek" on Linux
- Index(es):
- Get Wireshark
- Download
- Code of Conduct