Filter RFC1918 prefixes

edit

!(ip.addr == 10.0.0.0/8 || ip.addr == 172.16.0.0/12 || ip.addr == 192.168.0.0/16)

comes to mind.

You might want to use one of the default display filter macros:

Either source or destination in the RFC1918 ranges: ${private_ipv4:ip.src} or ${private_ipv4:ip.dst} Both source and destination in the RFC1918 ranges: (${private_ipv4:ip.src}) and (${private_ipv4:ip.dst})

NB: The parentices in the 2nd one are needed as the macro has an "or" in it and does not have parantices in the macro itself, I think this should be changed :-)

!(ip.src in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} || ip.dst in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16})

If using Wireshark version 4.0+, the above display filter will eliminate the packets with RFC1918 addresses in EITHER the ip.src or ip.dst fields. Keep in mind you will still see broadcast/multicast, L2 protocols, and IPv6 traffic. You'll need to add those to the negated statement if you don't wish to see that traffic.

If you are wanting to only eliminate traffic that contains RFC1918 address in BOTH the ip.src and ip.dst fields, then the following display filter will accomplish that request.

!(ip.src in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} && ip.dst in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16})