Watch out for this "gotcha" when creating capture filters with subnet masking in CIDR format.
DISPLAY FILTERS ALLOW...
Display filters allow any numbers in the host portion of an IP address defined with CIDR formatting. For example, you could use ip.addr==10.2.2.2/16 - Wireshark interprets this display filter as "display packets that contain the source or destination IP address starting with 10.2."
Even though we don't care about the last 2.2 portion of that address, we can keep it in our display filter - the /16 indicates we only care about the address's first 16 bits (2 bytes) anyway.
CAPTURE FILTERS ARE PICKIER...
Capture filters use BPF (Berkeley Packet Filtering) format and do not allow anything other than zeroes in the host portion of the filter when using CIDR formatting. For example, the capture filter net 10.2.2.2/16 will leave you with a red background and the inability to start a capture.
Instead, you must either fill the address's host portion with zeros...
or drop that host portion altogether.
Cheers!
-Laura
Comments