Networking
Matt Hansen  

Wireshark not equal to filter

Reading Time: < 1 minute

I came across this today and thought I’d share this helpful little wireshark capture filter. Based on wireshark’s documentation if you use

“ip.addr != 10.10.10.10” that should show you everything except for packets with the IP addrress 10.10.10.10. The problem is … it doesn’t work. It turns yellow like this, and doesn’t filter that IP.

yellow

 

The trick is to negate the whole statement, then it will work. Instead of doing “ip.addr!=10.10.10.10” run “!ip.addr==10.10.10.10”. Wireshark then is able to read it as NOT  ip equal to, instead of IP is not equal to. Once you do that, you’re golden (well, green).

green

 

Simple enough, and it works with any statement — IE if you RDP into a machine and run a capture you should probably include “!tcp==3389” somewhere in your filter statement.

 

 

I hope I’ve made your day, at least a little bit easier!

mshansen01

https://www.linkedin.com/in/matthansen0/

5 thoughts on “Wireshark not equal to filter

  1. William

    Thank you for this!

    Reply

  2. V

    Thank you sir

    Reply

  3. Steve Goblinface

    ‘Thank you very much! Thank you very much! That’s the nicest thing that anyone’s ever done for me” – Albert Finney in Scrooge.

    Reply

  4. asdsa asdsad

    Thanks a lot!

    Reply

  5. Andreas

    Thank you for that! Still searching for the logic in some of the syntax used in wireshark…

    Reply

Leave a Reply to VCancel reply

Discover more from Hansen Cloud

Subscribe now to keep reading and get access to the full archive.

Continue reading