Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I'll address each one in turn:

  • ip.addr == 153.11.105.34/38 This is invalid because the maximum number of bits is /32. You probably want ip.addr == 153.11.105.34/31. (Ideally, the Wireshark display filter validation could be improved to detect this and turn the expression red instead of green.)
  • ip.address == 153.11.105.34 or 153.11.105.35 This is invalid because there is no field called "ip.address" and you need to specify the field name for the second IP address too. You probably want ip.addr == 153.11.105.34 or ip.addr == 153.11.105.35
  • ip contains 153.11.105.34/38 Again, /38 is invalid, but also the contains operator does not work with IP addresses. Refer to the wireshark-filter man page for more information.

As the red color indicates, the following are not valid Wireshark display filter syntax. They are pcap-filter capture filter syntax and can't be used in this context. Refer to the pcap-filter man page for more information.

  • host 153.11.105.34 or host 153.11.105.35
  • ip host 153.11.105.34
  • net 153.11.105.34