Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at http://www.chappellseminars.com/.

Wednesday, December 1, 2010

Filtering OUT Traffic by IP Address - Aaargh!

Another interesting question was posed at ask.wireshark.org this week - it brings up a topic that I cover in the Wireshark 201: Filtering course (check out the schedule to catch the next free seminar on this topic).

The Question from ActualRandy
I want to see results where neither the destination, nor the source are the specified address; here is my filter. ip.src != 192.168.1.119 && ip.dst != 192.168.1.119 To my surprise, it returns some results with the that IP, such as this one: 157 238.065591 192.168.1.1 192.168.1.119 ICMP Destination unreachable (Port unreachable) The destination on this result is clearly one the filter should have blocked. What's up?

The Quick Answer
Avoid the use of != when filtering OUT IP address traffic. Instead use this filter:

!ip.addr == 192.168.1.1

The Long Answer
Sake Blok spent a bit more time explaining what was going on here. First of all - let's talk about the problem with a filter beginning with ip.src !==.












As you can see from the image above, Wireshark turned the display filter area yellow to indicate something is wrong. If you hover over the field a tooltip explains that the filter may not work as desired.

Here's the first issue with this type of filter. An IP header has two IP fields - the source IP address field and the destination IP address field. This filter looks in IP source address field first. If the field doesn't contain 24.4.7.217 -yippie! The filter matches and will be displayed. If the IP destination address field contains 24.4.7.217 the packet will be displayed as well. It's frustrating.

Here's a version of the chart contained in Chapter 9 of the Wireshark Network Analysis book:



Here's the second issue that ActualRandy hit - his filter displayed an ICMP packet. Sake explained this quite eloquently at ask.wireshark.org. Numerous ICMP packets are what I call "two-headed packets" - they contain two IP headers - the true IP header and another IP header in the ICMP portion of the packet.

Using the simple !ip.addr==192.168.1.119 addresses both issues and

works like a charm.

Enjoy!

Laura