I came across this today and thought I’d share this helpful little wireshark capture filter. Based on wireshark’s documentation if you use

“ip.addr !=” that should show you everything except for packets with the IP addrress The problem is … it doesn’t work. It turns yellow like this, and doesn’t filter that IP.



The trick is to negate the whole statement, then it will work. Instead of doing “ip.addr!=” run “!ip.addr==”. Wireshark then is able to read it as NOT ┬áip equal to, instead of IP is not equal to. Once you do that, you’re golden (well, green).



Simple enough, and it works with any statement — IE if you RDP into a machine and run a capture you should probably include “!tcp==3389” somewhere in your filter statement.



I hope I’ve made your day, at least a little bit easier!