Ask Your Question

Revision history [back]

You seem to be confused by the differing syntaxes of capture and display filters.

Capture filter syntax is explained here, and allows use of the follwng keywords to identify ip addresses:

  • host- identifies a particular host, if a name, the resolved ip(s) are all used, if an ip, then that is used.
  • net - identifies a network of addresses, usually in CIDR notation, e.g. 1.2.3.0/24

Display syntax is explained here and uses a form of ip.xxx == 1.2.3.4, e.g:

  • ip.addr == 1.2.3.4 or ip.addr == myhost filters any packets to or from the ip address or host name
  • ip.addr == 1.2.3.0/24 filters any packets in the 1.2.3.4.0 class c subnet.

Assuming you're trying to create a display filter for address in the range 153.11.105.34 - 38 you can either use:

  • individual address: ip.addr == 153.11.105.34 or ip.addr == 153.11.105.35 or ip.addr == 153.11.105.36 or ip.addr == 153.11.105.37 or ip.addr == 153.11.105.38
  • a subnet, unfortunately your range of addresses doesn't map neatly so you'll have to use a slightly bigger subnet, e.g. ip.addr == 153.11.105.32/29 which will permit address in the range 153.11.105.32 - 153.11.105.39.

You could also combine a mix of explicit addresses and a smaller subnets:

ip.addr == 153.11.105.34/31 or ip.addr == 153.11.105.36/31 or ip.addr == 153.11.105.38

You seem to be confused by the differing syntaxes of capture and display filters.

Capture filter syntax is explained here, and allows use of the follwng following keywords to identify ip addresses:

  • host- identifies a particular host, if a name, the resolved ip(s) are all used, if an ip, then that is used.
  • net - identifies a network of addresses, usually in CIDR notation, e.g. 1.2.3.0/24

Display syntax is explained here and uses a form of ip.xxx == 1.2.3.4, e.g:

  • ip.addr == 1.2.3.4 or ip.addr == myhost filters any packets to or from the ip address or host name
  • ip.addr == 1.2.3.0/24 filters any packets in the 1.2.3.4.0 class c subnet.

Assuming you're trying to create a display filter for address in the range 153.11.105.34 - 38 you can either use:

  • individual address: ip.addr == 153.11.105.34 or ip.addr == 153.11.105.35 or ip.addr == 153.11.105.36 or ip.addr == 153.11.105.37 or ip.addr == 153.11.105.38
  • a subnet, unfortunately your range of addresses doesn't map neatly so you'll have to use a slightly bigger subnet, e.g. ip.addr == 153.11.105.32/29 which will permit address in the range 153.11.105.32 - 153.11.105.39.

You could also combine a mix of explicit addresses and a smaller subnets:

ip.addr == 153.11.105.34/31 or ip.addr == 153.11.105.36/31 or ip.addr == 153.11.105.38