0
If I capture traffic through my wireless card, I get a ton of different kinds of packets showing up. I'd only like to see traffic that is destined for the internet, i.e., no network stuff that is local. If I use Wireshark as a capture filter for 'no multicast and broadcast' then will all the packets I see only be those that are destined for the internet? Thanks.
baobeiii
Posted 2010-12-27T04:13:34.777
Reputation: 1
2
Since traffic bound for the internet will need to go through a router of some sort to get there, the IP packets will be given the MAC address of the router as the destination. You can filter for all packets with the router's MAC address (e.g. eth.dst == 00:0f:66:03:50:a7) as the destination.
Shannon Nelson
Posted 2010-12-27T04:13:34.777
Reputation: 1 287
1
No. "Multicast" is a special set of addresses (224/4). "Broadcast" is a special address within a network ("all ones", e.g. the broadcast address for 192.168/16 is 192.168.255.255). You will need to make sure that one of the addresses in the packet is not of the local network.
Ignacio Vazquez-Abrams
Posted 2010-12-27T04:13:34.777
Reputation: 100 516
So what filter setting do i need to only see internet destined or internet sourced packets? – baobeiii – 2010-12-27T04:26:04.850
The one that makes sure that one of the addresses in the packet is not of the local network. – Ignacio Vazquez-Abrams – 2010-12-27T04:30:08.047
0
There is another way to filter out local traffic from egress:
Combine a filter of "only IP traffic" AND "only IP-adresses excluding 10.0.0.0/8".
Enter this inthe filter window (when running a capture)> ip && !(ip.dst==10.0.0.0/8)
if you need to exclude the 192er range > ip && !(ip.dst==192.168.0.0/16)
Gerhard
Posted 2010-12-27T04:13:34.777
Reputation: 1
1This will filter out the return packets addressed to the machine. – RalfFriedl – 2019-06-10T14:35:02.717
Well, the question says “I'd only like to see traffic that is *destined for* the internet” (emphasis added). In fact, it mentions “destined for the internet” twice. So this answer might be what the OP wants. – Scott – 2019-06-10T22:14:38.240
I think you meant
not (multicast or broadcast)? – user1686 – 2011-04-01T04:45:18.277