How many times have you been using Wireshark to capture traffic and wanted to narrow down to a range or subnet of IP addresses? There is an “ip net” capture filter, but nothing similar for a display filter. Unfortunately, this functionality is often needed after the traffic has been captured. With a little bit of familiarity with the display filters, this goal can be easily achieved anyway.
The quickest way I have found to do this is to use the IP source and destination filters in combination with the “>=” and “<=”. For example, suppose that it was necessary to create a display filter to display packets to and from 192.168.1.0/24 (192.168.1.0-255). To accomplish this, the following filter would work:
(ip.src >= 192.168.1.0 && ip.src <= 192.168.1.255) || (ip.dst >= 192.168.1.0 && ip.dst <= 192.168.1.255)
To read this in filter in plain English, it states that the packet should have a source address greater than or equal to 192.168.1.0 AND less than or equal to 192.168.1.255. Alternatively (OR) it could have a destination address greater than or equal to 192.168.1.0 AND less than or equal to 192.168.1.255.
When I first attempted this, I thought a less complex filter similar to the one below would work:
ip.addr>= 192.168.1.0 && ip.addr <= 192.168.1.255
Unfortunately I had some unexpected results. This will actually match any packet with a source or destination IP Address greater than or equal to 192.168.1.0 AND has a source or destination address less than or equal to 192.168.1.255. In other words, this will match many more packets than what it initially seems it should. I seriously doubt that is the intended result for anyone who would write such a filter, but maybe. In any case, it is a good illustration to understand the logic of the filter though.
This is a quick and handy way to narrow down the display in Wireshark to a range of IP Addresses. With the new “Limit to Display” checkboxes now scattered through the statistics section in Wireshark, this can become immensely useful. If you find this helpful or have a better way to accomplish this please post comments below.
UPDATE– The format “ip.addr==126.96.36.199/16” works now as well. That is a much cleaner solution.