Wireshark—Display Filter by IP Range

Posted on May 7, 2009 by Paul Stewart, CCIE 26009 (Security)

How many times have you been using Wireshark to capture traffic and wanted to narrow down to a range or subnet of IP addresses?  There is an “ip net” capture filter, but nothing similar for a display filter.  Unfortunately, this functionality is often needed after the traffic has been captured.  With a little bit of familiarity with the display filters, this goal can be easily achieved anyway. 

The quickest way I have found to do this is to use the IP source and destination filters in combination with the “>=” and “<=”.  For example, suppose that it was necessary to create a display filter to display packets to and from 192.168.1.0/24 (192.168.1.0-255).  To accomplish this, the following filter would work:

(ip.src >= 192.168.1.0 && ip.src <= 192.168.1.255) || (ip.dst >= 192.168.1.0 && ip.dst <= 192.168.1.255)

To read this in filter in plain English, it states that the packet should have a source address greater than or equal to 192.168.1.0 AND less than or equal to 192.168.1.255.  Alternatively (OR) it could have a destination address greater than or equal to 192.168.1.0 AND less than or equal to 192.168.1.255.

When I first attempted this, I thought a less complex filter similar to the one below would work:

ip.addr>= 192.168.1.0 && ip.addr <= 192.168.1.255

Unfortunately I had some unexpected results.  This will actually match any packet with a source or destination IP Address greater than or equal to 192.168.1.0 AND has a source or destination address less than or equal to 192.168.1.255.  In other words, this will match many more packets than what it initially seems it should.   I seriously doubt that is the intended result for anyone who would write such a filter, but maybe.  In any case, it is a good illustration to understand the logic of the filter though.

This is a quick and handy way to narrow down the display in Wireshark to a range of IP Addresses.  With the new “Limit to Display” checkboxes now scattered through the statistics section in Wireshark, this can become immensely useful.   If you find this helpful or have a better way to accomplish this please post comments below.

 UPDATE– The format “ip.addr==129.111.0.0/16″ works as well. That is a much cleaner solution.

Related content:

  1. Introduction to Extended IP Access Lists Application
  2. NTP Authentication (Cisco’s Implementation)
  3. Introduction to AAA on IOS Devices
  4. Generalized TTL Security Mechanism
  5. The Elusive “access-class out” Command
Share and Enjoy:
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Twitter
  • Google Bookmarks
  • LinkedIn
  • PDF
  • RSS

About Paul Stewart, CCIE 26009 (Security)

Network and Security Consultant, Trainer and Blogger who enjoys understanding how things really work. Troubleshooting and problem resolution is fun, especially if it involves packet. What's on your wire[s]?
This entry was posted in network, security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>