I'm trying to filter out my local machine's IP address 192.168.5.22.
I used ip.src != 192.168.5.22|| ip.dst !=192.168.5.22 and I keep seeing my address pop up.
Asked
Active
Viewed 3.0k times
3 Answers
10
Mitch is right. With the negative match like you have, you need both conditions to be true to filter off your IP, thus and instead of or. You could also write it like so:
not (ip.addr == 192.168.5.22)
It might seem more logical to write it as ip.addr != 192.168.5.22, but while that's a valid expression, it will match the other end of the connection as not being the specific ip and still be true. For example, when connecting to 192.168.5.254 from 192.168.5.22, ip.addr != 192.168.5.22 doesn't match *.22 IP, it matches *.254 and thus the packet matches the filter expression. Here's a complete example to filter http as well:
not ip.addr == 192.168.5.22 and not tcp.dstport == 80
tcp.dstport != 80 suffers from a similar problem; having tcp.dstport != 80 turns out to mean "match ONLY tcp traffic, but only tcp that is not dstport == 80"
While not strictly your question, I prefer to do filtering in the capture filter (double click the interface name in the capture-options dialog), whose syntax is exactly like tcpdump. It makes the capture take less memory and disk by avoiding capturing packets you're telling it to ignore. The downside is those packets are not captured if you later want to inspect them and you can't change the filter selected this way during a capture session. For example, to keep from capturing http and ssh traffic to/from any host and any packets to or from 192.168.5.22,
not host 192.168.5.22 and not port 80 and not port 22
If you only wanted to filter http traffic to and from that host, you could do this:
not (host 192.168.5.22 and port 80)
Andrew Domaszek
- 5,163
- 1
- 15
- 27
3
Your or should be an and
ip.src != 1.2.3.4 && ip.dst != 1.2.3.4
Mitch
- 2,363
- 14
- 23
-
That won't work. You need to `!ip.src == 1.2.3.4 ....`. Further `!ip.addr == 1.2.3.4` covers either. – Scruffy Jul 15 '16 at 05:30
-
@Scruffy, the answer is correct, this statement will filter out each fulfilled operator. – Nick Tsai Aug 02 '17 at 05:43
0
It's 2022 and IPv6 is now a thing! IPv6 makes this trickier since you'll usually have multiple v6 addresses and they often change. Enumerating each is a pain. Instead we know that the link-local IPv6 prefix is FE80::/10 so to exclude traffic that both originates from and is destined to this range we use this filter:
not (ipv6.dst == fe80::/10 and ipv6.src == fe80::/10))
Putting it all together, this filter will exclude local IP, IPv6, and broadcast/multicast packets:
not (ipv6.dst == fe80::/10 and ipv6.src == fe80::/10) and
not (ip.dst == 192.168.0.0/16 and ip.src == 192.168.0.0/16) and
not (ip.dst == 10.0.0.0/8 and ip.src==10.0.0.0/8) and
not (eth.dst[0] & 1)
Note that the above only excludes local IP traffic in the 192.168.* and 10.* IP range. There are other local ranges you might be using. The and not (eth.dst[0] & 1) excludes any packet with the ethernet multicast bit set to true. If you want to see multicast traffic just exclude it. (it might also be better to just exclude multicast protocols, like with not mdns)
Chris
- 111
- 2