What is the capture filter for a specific IPv4 subnet?

Question

What is the capture filter for a specific IPv4 subnet? I had thought that this would do:

net 192.168.1.0

However, I don't capture any traffic with this filter at all (where I know there is traffic, since I can see some on that subnet when capturing without the filter).

Accepted Answer

3

You need to supply the netmask as well, e.g. net 192.168.1.0/24

answered 20 May '13, 08:24

grahamb ♦
19.8k●3●30●206
accept rate: 22%

edited 20 May '13, 08:24

see also the following similar question, for IPv6.

http://ask.wireshark.org/questions/12128/capture-filter-for-ipv6-network-prefix

(22 May '13, 05:54) Kurt Knochner ♦

Answer 2

I also thought that without a netmask, bpf would default to classfull addresses, but I never ran into it because I had CIDR subnets everywhere.

Or maybe the behavior has changed over time ... OK, the manpage says it all:

dst net net
          True if the IPv4/v6 destination address  of  the  packet  has  a
          network  number  of  net.   Net  may  be  either a name from the
          networks database (/etc/networks, etc.) or a network number.  An
          IPv4  network  number  can  be  written  as a dotted quad (e.g.,
          192.168.1.0), dotted triple (e.g., 192.168.1), dotted pair (e.g,
          172.16),   or   single   number   (e.g.,  10);  the  netmask  is
          255.255.255.255 for a dotted quad (which means that it's  really
          a  host  match),  255.255.255.0 for a dotted triple, 255.255.0.0
          for a dotted pair, or 255.0.0.0 for a single  number.   An  IPv6
          network  number  must  be  written  out  fully;  the  netmask is
          ff:ff:ff:ff:ff:ff:ff:ff, so IPv6 "network"  matches  are  really
          always  host  matches,  and  a  network match requires a netmask
          length.

So, "net 192.168.1" will also work...

My "learn-something-new-item" for today :-)