Wireshark-users: Re: [Wireshark-users] ip.addr==192.168.0.0/16

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Wes <wes_r@xxxxxxxxx>
Date: Mon, 10 Aug 2009 09:44:37 -0700 (PDT)
Glad that helped. 

You should be able to use the same mask technique in this field as well. At least it seems to work fine for me in a quick test. I used:

snmp.agent_addr == 192.168.0.0/16

and it shows traps from two different /24 networks as expected.

Wes
--- On Mon, 8/10/09, Tony Barratt <tbarratt@xxxxxxxxxxx> wrote:

> From: Tony Barratt <tbarratt@xxxxxxxxxxx>
> Subject: [Wireshark-users] ip.addr==192.168.0.0/16
> To: wireshark-users@xxxxxxxxxxxxx
> Date: Monday, August 10, 2009, 8:58 AM
> Hello Wes,
> 
> Actually that was a very useful hint.
> Because all the traps come from the same place, via a trap
> forwarder I 
> can apply
> snmp.agent_addr  ==192.168.0.0/16 or similar which
> means I can use a 
> couple of subnets and a few IPs and I have a display filter
> to suit.
> Thanks!
> 
> I capture all the traps via tcpdump on a remote box
> (wiresshark install 
> not possible) and UDP port 162 and now I can filter out all
> the traps I 
> am interested in after loading the pcap file into
> wireshark.
> On a related matter if i want to just capture events that
> meet a filter 
> like  snmp.agent_addr  ==192.168.0.0/16 what
> options do I have?
> 
> TIA
> 
> Tony
> > Date: Fri, 7 Aug 2009 06:06:51 -0700 (PDT)
> > From: Wes <wes_r@xxxxxxxxx>
> > Subject: Re: [Wireshark-users] How do I change the
> default capture
> >     filter
> > To: Community support list for Wireshark
> >     <wireshark-users@xxxxxxxxxxxxx>
> > Message-ID: <919569.1830.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> > Content-Type: text/plain; charset=iso-8859-1
> >
> > You might be able to use masks to help narrow it down.
> For example:
> >
> > ip.addr==192.168.0.0/16
> >
> > Wes
> >
> > --- On Fri, 8/7/09, Tony Barratt <tbarratt@xxxxxxxxxxx>
> wrote:
> >
> >   
> >> From: Tony Barratt <tbarratt@xxxxxxxxxxx>
> >> Subject: Re: [Wireshark-users] How do I change the
> default capture filter
> >> To: wireshark-users@xxxxxxxxxxxxx
> >> Date: Friday, August 7, 2009, 3:28 AM
> >> Interesting!
> >> I would like to display filter on 200 known IPs,
> which if
> >> not practical 
> >> in the GUI.
> >> Could I put the filter into one of the dfiles
> found in the
> >> filders tab?
> >> Or is there perhaps a better way?
> >>     
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>          
>    mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>