Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Wednesday, December 1, 2010

Filtering OUT Traffic by IP Address - Aaargh!

Another interesting question was posed at this week - it brings up a topic that I cover in the Wireshark 201: Filtering course (check out the schedule to catch the next free seminar on this topic).

The Question from ActualRandy
I want to see results where neither the destination, nor the source are the specified address; here is my filter. ip.src != && ip.dst != To my surprise, it returns some results with the that IP, such as this one: 157 238.065591 ICMP Destination unreachable (Port unreachable) The destination on this result is clearly one the filter should have blocked. What's up?

The Quick Answer
Avoid the use of != when filtering OUT IP address traffic. Instead use this filter:

!ip.addr ==

The Long Answer
Sake Blok spent a bit more time explaining what was going on here. First of all - let's talk about the problem with a filter beginning with ip.src !==.

As you can see from the image above, Wireshark turned the display filter area yellow to indicate something is wrong. If you hover over the field a tooltip explains that the filter may not work as desired.

Here's the first issue with this type of filter. An IP header has two IP fields - the source IP address field and the destination IP address field. This filter looks in IP source address field first. If the field doesn't contain -yippie! The filter matches and will be displayed. If the IP destination address field contains the packet will be displayed as well. It's frustrating.

Here's a version of the chart contained in Chapter 9 of the Wireshark Network Analysis book:

Here's the second issue that ActualRandy hit - his filter displayed an ICMP packet. Sake explained this quite eloquently at Numerous ICMP packets are what I call "two-headed packets" - they contain two IP headers - the true IP header and another IP header in the ICMP portion of the packet.

Using the simple !ip.addr== addresses both issues and

works like a charm.