Ask Your Question

Revision history [back]

I'll address each one in turn:

  • ip.addr == This is invalid because the maximum number of bits is /32. You probably want ip.addr == (Ideally, the Wireshark display filter validation could be improved to detect this and turn the expression red instead of green.)
  • ip.address == or This is invalid because there is no field called "ip.address" and you need to specify the field name for the second IP address too. You probably want ip.addr == or ip.addr ==
  • ip contains Again, /38 is invalid, but also the contains operator does not work with IP addresses. Refer to the wireshark-filter man page for more information.

As the red color indicates, the following are not valid Wireshark display filter syntax. They are pcap-filter capture filter syntax and can't be used in this context. Refer to the pcap-filter man page for more information.

  • host or host
  • ip host
  • net