James Pifer wrote:
I'm trying setup a capture filter to capture only data where the ip
address contains a certain part of an ip address. We have a lot of
servers on a distributed network that have standard addresses.
For example, I'd like to capture data on port 137 if the ip address is
like 192.xxx.xxx.11 where xxx can be anything.
Can this be done in a capture filter?
Not conveniently, but it can be done:
(((ip[12:4] & 0xFF0000FF) = 0xC000000B) || ((ip[16:4] & 0xFF0000FF) =
0xC000000B)) && port 137
(which extracts the IP source address, ANDs it with 0xFF0000FF, compares
it with 192.0.0.11, does the same with the IP destination address,
matches if either are true, and then ANDs that with a match on port 137).