Ask Your Question
0

many to many comparision [display private networks as example]

asked 2018-04-13 16:59:09 +0000

Chris Rudd gravatar image

updated 2018-04-13 17:13:27 +0000

I'm looking for the best way to do a many to many comparison in wireshark. In this case I want to limit the display filter to only show internal only traffic.


This way doesn't work
(ip.src && ip.dst) == (192.168.0.0/16 || 172.16.0.0/12 || 10.0.0.0/8)

And while this other way works, it will become very difficult to read and manage once you start adding your individual exclusions from vpns and add in your dmz(s)
(ip.src == 192.168.0.0/16 || ip.src == 172.16.0.0/12 || ip.src == 10.0.0.0/8) && (ip.dst == 192.168.0.0/16 || ip.dst == 172.16.0.0/12 || ip.dst == 10.0.0.0/8)


Also I know this specific case should probably a capture filter instead, I'm just using this as an example to explore this question for display filters since they're more widely used for a lot of things.

And a side question, how do I save a display filter expression for common use?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-04-14 16:10:19 +0000

mrEEde gravatar image

I guess the filter you are looking for could be

ip.src in {192.168.0.0/16  172.16.0.0/12  10.0.0.0/8} and ip.dst in {192.168.0.0/16  172.16.0.0/12  10.0.0.0/8}

But there are many other ways to achieve this ...
Saving a filter for later use can be done in the
(1) Add Display Filter Button
or under
(2) Manage saved Bookmarks -> Save filter image description

edit flag offensive delete link more
0

answered 2018-04-14 17:01:03 +0000

sindy gravatar image

The "least typing" syntax of your first filter would be as follows:

ip.src in {192.168.0.0/16 172.16.0.0/12 10.0.0.0/8} && ip.dst in {192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}

I'm afraid there is no way to avoid using the list of match values twice if you want to compare two distinct variables to that list.

Whether you use capture filter or display filter depends more on whether you need to reduce the amount of data to be saved (which is the application case for a capture filter) or to be sure that you do not miss anything (which is the application case for not using any capture filter and using display filter to post-analyse the data).

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-13 16:59:09 +0000

Seen: 224 times

Last updated: Apr 14 '18