Wireshark not equal to filter

Posted on

I came across this today and thought I’d share this helpful little wireshark capture filter. Based on wireshark’s documentation if you use

“ip.addr != 10.10.10.10” that should show you everything except for packets with the IP addrress 10.10.10.10. The problem is … it doesn’t work. It turns yellow like this, and doesn’t filter that IP.

yellow

 

The trick is to negate the whole statement, then it will work. Instead of doing “ip.addr!=10.10.10.10” run “!ip.addr==10.10.10.10”. Wireshark then is able to read it as NOT  ip equal to, instead of IP is not equal to. Once you do that, you’re golden (well, green).

green

 

Simple enough, and it works with any statement — IE if you RDP into a machine and run a capture you should probably include “!tcp==3389” somewhere in your filter statement.

 

 

I hope I’ve made your day, at least a little bit easier!

3 thoughts on “Wireshark not equal to filter

    William said:
    April 24, 2018 at 11:57 am

    Thank you for this!

    V said:
    April 23, 2019 at 12:19 pm

    Thank you sir

    Steve Goblinface said:
    July 18, 2019 at 1:16 pm

    ‘Thank you very much! Thank you very much! That’s the nicest thing that anyone’s ever done for me” – Albert Finney in Scrooge.

Leave a Reply to William Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s