Ask Your Question

Filter RFC1918 prefixes

asked 2022-12-01 23:20:01 +0000

moraist gravatar image

I need a little help to build a display filter to exclude the traffic based on RFC1918 (Source and Destination).

edit retag flag offensive close merge delete


Wireshark version?

Jaap gravatar imageJaap ( 2022-12-02 06:51:51 +0000 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2022-12-02 07:22:15 +0000

hugo.vanderkooij gravatar image
!(ip.addr == || ip.addr == || ip.addr ==

comes to mind.

edit flag offensive delete link more

answered 2022-12-14 14:13:29 +0000

SYN-bit gravatar image

You might want to use one of the default display filter macros:

Either source or destination in the RFC1918 ranges: ${private_ipv4:ip.src} or ${private_ipv4:ip.dst} Both source and destination in the RFC1918 ranges: (${private_ipv4:ip.src}) and (${private_ipv4:ip.dst})

NB: The parentices in the 2nd one are needed as the macro has an "or" in it and does not have parantices in the macro itself, I think this should be changed :-)

edit flag offensive delete link more

answered 2022-12-13 23:04:57 +0000

Rooster_50 gravatar image

updated 2022-12-13 23:16:09 +0000

!(ip.src in {,,} || ip.dst in {,,})

If using Wireshark version 4.0+, the above display filter will eliminate the packets with RFC1918 addresses in EITHER the ip.src or ip.dst fields. Keep in mind you will still see broadcast/multicast, L2 protocols, and IPv6 traffic. You'll need to add those to the negated statement if you don't wish to see that traffic.

If you are wanting to only eliminate traffic that contains RFC1918 address in BOTH the ip.src and ip.dst fields, then the following display filter will accomplish that request.

!(ip.src in {,,} && ip.dst in {,,})
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2022-12-01 23:20:01 +0000

Seen: 960 times

Last updated: Dec 14 '22