Marco van den Bovenkamp wrote:
Wirth Hansueli wrote:
I`m using Ethereal 0.10.0© and want eighter to capture or display a
whole subnet range eg 10.1.2.0/24, no only a single ip address.
I can`t find any documentation or command for that.
Is it possible to do that ?
Yes. Use 'net 10.1.2.0/24' or 'net 10.1.2.0 mask 255.255.255.0' as a
capture filter.
Which *are* documented in recent tcpdump man pages:
net {net}
True if either the IPv4/v6 source or destination address
of the packet has a network number of {net}.
net {net} mask {netmask}
True if the IP address matches {net} with the specific {net-
mask}. May be qualified with src or dst. Note that this
syntax is not valid for IPv6 {net}.
net {net}/{len}
True if the IPv4/v6 address matches {net} with a netmask
{len} bits wide. May be qualified with src or dst.
The equivalent for display filters is
ip.addr == 10.1.2.0/24
which is documented in the ethereal-filter man page:
Classless InterDomain Routing (CIDR) notation can be used to test if an
IPv4 address is in a certain subnet. For example, this display filter
will find all packets in the 129.111 Class-B network:
ip.addr == 129.111.0.0/16
Remember, the number after the slash represents the number of bits used
to represent the network. CIDR notation can also be used with host-
names, as in this example of finding IP addresses on the same Class C
network as 'sneezy':
ip.addr eq sneezy/24
The CIDR notation can only be used on IP addresses or hostnames, not in
variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
not valid (yet).
