Filter RFC1918 prefixes
I need a little help to build a display filter to exclude the traffic based on RFC1918 (Source and Destination).
3 Answers
- Sort by
oldest newest most voted
1
!(ip.addr == 10.0.0.0/8 || ip.addr == 172.16.0.0/12 || ip.addr == 192.168.0.0/16)
comes to mind.
0
You might want to use one of the default display filter macros:
Either source or destination in the RFC1918 ranges: ${private_ipv4:ip.src} or ${private_ipv4:ip.dst}
Both source and destination in the RFC1918 ranges: (${private_ipv4:ip.src}) and (${private_ipv4:ip.dst})
NB: The parentices in the 2nd one are needed as the macro has an "or" in it and does not have parantices in the macro itself, I think this should be changed :-)
0
!(ip.src in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} || ip.dst in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16})
If using Wireshark version 4.0+, the above display filter will eliminate the packets with RFC1918 addresses in EITHER the ip.src or ip.dst fields. Keep in mind you will still see broadcast/multicast, L2 protocols, and IPv6 traffic. You'll need to add those to the negated statement if you don't wish to see that traffic.
If you are wanting to only eliminate traffic that contains RFC1918 address in BOTH the ip.src and ip.dst fields, then the following display filter will accomplish that request.
!(ip.src in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} && ip.dst in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16})
Your Answer
Please start posting anonymously - your entry will be published after you log in or create a new account.
This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.
Comments
Wireshark version?