Wireshark-users: Re: [Wireshark-users] wildcard filter

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 12 Aug 2008 15:15:44 -0700

On Aug 12, 2008, at 3:01 PM, Marlon Duksa wrote:

I'd like to filter all source IP addresses from the 11.x.x.x range. Not sure how to do this by applying a wildcard (*).

To quote the wireshark-filter(4) man page:

Classless InterDomain Routing (CIDR) notation can be used to test if an IPv4 address is in a certain subnet. For example, this display filter
       will find all packets in the 129.111 Class-B network:

           ip.addr == 129.111.0.0/16

Remember, the number after the slash represents the number of bits used
       to represent the network.  CIDR notation can also be used with
hostnames, as in this example of finding IP addresses on the same Class
       C network as 'sneezy':

           ip.addr eq sneezy/24

The CIDR notation can only be used on IP addresses or hostnames, not in variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
       not valid (yet).

so try

	ip.src == 11.0.0.0/8