Ethereal-users: Re: [Ethereal-users] Display filters and IP Subnet NEWBIE

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gerald Combs <gerald@xxxxxxxxxxxx>
Date: Wed, 26 Feb 2003 09:52:38 -0600 (CST)
On Wed, 26 Feb 2003 john.underwood@xxxxxxxxxxxx wrote:

> Ok so I have a captured packets file. The file contains traffic from 
> several different subnets routed through my location. I would like to see 
> all traffic from a given subnet. I can display filter for individual IP 
> address from that subnet and I could build one long expression (ip.addr == 
> 172.27.0.1 or ip.addr ==172.27.0.2 or etc.) but there has got to be a 
> better way.

There is a better way, according to the Ethereal man page:

  "Classless InterDomain Routing (CIDR) notation can be used to test
  if an IPv4 address is in a certain subnet. For example, this display
  filter will find all packets in the 129.111 Class-B network:

    ip.addr == 129.111.0.0/16

  Remember, the number after the slash represents the number of bits used
  to represent the network. CIDR notation can also be used with hostnames,
  in this example of finding IP addresses on the same Class C network as
  `sneezy':

    ip.addr eq sneezy/24

  The CIDR notation can only be used on IP addresses or hostnames, not
  in variable names. So, a display filter like ``ip.src/24 == ip.dst/24''
  is not valid. (yet)"