wireshark not equal to does not work

Wireshark not equal to filter

Posted on

I came across this today and thought I’d share this helpful little wireshark capture filter. Based on wireshark’s documentation if you use

“ip.addr != 10.10.10.10” that should show you everything except for packets with the IP addrress 10.10.10.10. The problem is … it doesn’t work. It turns yellow like this, and doesn’t filter that IP.

yellow

 

The trick is to negate the whole statement, then it will work. Instead of doing “ip.addr!=10.10.10.10” run “!ip.addr==10.10.10.10”. Wireshark then is able to read it as NOT ┬áip equal to, instead of IP is not equal to. Once you do that, you’re golden (well, green).

green

 

Simple enough, and it works with any statement — IE if you RDP into a machine and run a capture you should probably include “!tcp==3389” somewhere in your filter statement.

 

 

I hope I’ve made your day, at least a little bit easier!

Advertisements