Wireshark—Display Filter by IP Range

How many times have you been using Wireshark to capture traffic and wanted to narrow down to a range or subnet of IP addresses?  There is an “ip net” capture filter, but nothing similar for a display filter.  Unfortunately, this functionality is often needed after the traffic has been captured.  With a little bit of familiarity with the display filters, this goal can be easily achieved anyway. 

The quickest way I have found to do this is to use the IP source and destination filters in combination with the “>=” and “<=”.  For example, suppose that it was necessary to create a display filter to display packets to and from (  To accomplish this, the following filter would work:

(ip.src >= && ip.src <= || (ip.dst >= && ip.dst <=

To read this in filter in plain English, it states that the packet should have a source address greater than or equal to AND less than or equal to  Alternatively (OR) it could have a destination address greater than or equal to AND less than or equal to

When I first attempted this, I thought a less complex filter similar to the one below would work:

ip.addr>= && ip.addr <=

Unfortunately I had some unexpected results.  This will actually match any packet with a source or destination IP Address greater than or equal to AND has a source or destination address less than or equal to  In other words, this will match many more packets than what it initially seems it should.   I seriously doubt that is the intended result for anyone who would write such a filter, but maybe.  In any case, it is a good illustration to understand the logic of the filter though.

This is a quick and handy way to narrow down the display in Wireshark to a range of IP Addresses.  With the new “Limit to Display” checkboxes now scattered through the statistics section in Wireshark, this can become immensely useful.   If you find this helpful or have a better way to accomplish this please post comments below.

UPDATE– The format “ip.addr==” works now as well. That is a much cleaner solution.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

4 Responses to Wireshark—Display Filter by IP Range

  1. Prior to migrating this article to the new platform, someone pointed out the fact that Wireshark accepts the slash notation. I did determine that to be correct (at least in current versions). So a method easier than using a range might be to create a display filter like “ip.addr==”.

  2. Charlie says:

    Exactly what I needed to know. Thanks for posting!

Comments are closed.