Hello All,
How to create a filter in Wireshark traffic coming from the internet vs from internal/private IP addresses
Thanks Pranav
Capture filter syntax:
src net not (192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8) or dst net not (192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8)
Display filter syntax:
!ip.src in {192.168.0.0/16 172.16.0.0/12 10.0.0.0/8} or !ip.dst in {192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}
And now for IPv6?
Is this an exam or what :-) ? In IPv6 it would depend on site individual configuration as even site-local addresses are normally public, except fc00::/7 which, however, are unlikely to be used in networks which do have an IPv6 uplink.
So src net not (fc00::/7 or xxxx:xxxx:xxxx:xxxx::/64) or dst net not (fc00::/7 or xxxx:xxxx:xxxx:xxxx::/64) or, respectively, !ipv6.src in {fc00::/7 xxxx:xxxx:xxxx:xxxx::/64} or !ipv6.dst in {fc00::/7 xxxx:xxxx:xxxx:xxxx::/64}, where xxxx:xxxx:xxxx:xxxx is the site prefix, should be the correct answer.
It is true that I've also neglected the possibility that "internal" IPv4 addresses might be public ones as well.
An exam? Maybe :-) In a single broadcast domain the link local address is enough to filter the traffic. Every interface has one and it should be used for local traffic. So any non-local address should be related to external traffic. The problems start with a routed internal network. Then you'll have to know which subnet is assigned to your network, to know what's outside, being the internet.
Comments