Ask Your Question
0

Is there a way to write a display filter macro to define a variable for multiple IP addresses?

asked 2022-09-27 19:18:48 +0000

kiddcutty gravatar image

I am attempting to write a macro that acts as a variable for multiple IP address. Something similar to the following: (Found this as an example on wireshark.org)

Name: private_ipv4 Text: $1 == 192.168.0.0/16 or $1 == 172.16.0.0/12 or $1 == 10.0.0.0/8

This format fails with the error "wrong number of arguments for macro 'private_ipv4', expecting 1 instead of 0. I want to be able to call a variable in a filter instead of typing out all of the IP addresses.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-09-27 20:23:35 +0000

Chuckc gravatar image

WSUG 6.4.5. Membership Operator:

ip.addr in {10.0.0.5 .. 10.0.0.9, 192.168.1.1..192.168.1.9}

Display Filter Macro:

"private_nets","{192.168.0.0/16,172.16.0.0/12, 10.0.0.0/8}"

Display Filter:

ip.src in ${private_nets} and ip.dst in ${private_nets}

The macro and filter above result in same number of displayed packets as:

ip.src in {192.168.0.0/16,172.16.0.0/12, 10.0.0.0/8} and ip.dst in {192.168.0.0/16,172.16.0.0/12, 10.0.0.0/8}

Test and verify with your own data.

edit flag offensive delete link more

Comments

That did the trick. I did some studying up on the membership operator too. Thank you very much!

kiddcutty gravatar imagekiddcutty ( 2022-09-28 19:00:53 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-09-27 19:18:04 +0000

Seen: 252 times

Last updated: Sep 28