Capture filter syntax:
src net not (192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8) or dst net not (192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8)
Display filter syntax:
!ip.src in {192.168.0.0/16 172.16.0.0/12 10.0.0.0/8} or !ip.dst in {192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}
Is this an exam or what :-) ? In IPv6 it would depend on site individual configuration as even site-local addresses are normally public, except fc00::/7 which, however, are unlikely to be used in networks which do have an IPv6 uplink.
So src net not (fc00::/7 or xxxx:xxxx:xxxx:xxxx::/64) or dst net not (fc00::/7 or xxxx:xxxx:xxxx:xxxx::/64) or, respectively, !ipv6.src in {fc00::/7 xxxx:xxxx:xxxx:xxxx::/64} or !ipv6.dst in {fc00::/7 xxxx:xxxx:xxxx:xxxx::/64}, where xxxx:xxxx:xxxx:xxxx is the site prefix, should be the correct answer.
It is true that I've also neglected the possibility that "internal" IPv4 addresses might be public ones as well.
An exam? Maybe :-) In a single broadcast domain the link local address is enough to filter the traffic. Every interface has one and it should be used for local traffic. So any non-local address should be related to external traffic. The problems start with a routed internal network. Then you'll have to know which subnet is assigned to your network, to know what's outside, being the internet.
Asked: 2018-03-17 21:23:33 +0000
Seen: 11,015 times
Last updated: Mar 18 '18
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
