Filtering non-local IP traffic with Wireshark
Solution 1
Since traffic bound for the internet will need to go through a router of some sort to get there, the IP packets will be given the MAC address of the router as the destination. You can filter for all packets with the router's MAC address (e.g. eth.dst == 00:0f:66:03:50:a7) as the destination.
Solution 2
No. "Multicast" is a special set of addresses (224/4). "Broadcast" is a special address within a network ("all ones", e.g. the broadcast address for 192.168/16 is 192.168.255.255). You will need to make sure that one of the addresses in the packet is not of the local network.
Solution 3
There is another way to filter out local traffic from egress:
Combine a filter of "only IP traffic" AND "only IP-adresses excluding 10.0.0.0/8".
Enter this inthe filter window (when running a capture)> ip && !(ip.dst==10.0.0.0/8)
if you need to exclude the 192er range > ip && !(ip.dst==192.168.0.0/16)
Related videos on Youtube
baobeiii
Updated on September 17, 2022Comments
-
baobeiii over 1 year
If I capture traffic through my wireless card, I get a ton of different kinds of packets showing up. I'd only like to see traffic that is destined for the internet, i.e., no network stuff that is local. If I use Wireshark as a capture filter for 'no multicast and broadcast' then will all the packets I see only be those that are destined for the internet? Thanks.
-
baobeiii over 13 yearsSo what filter setting do i need to only see internet destined or internet sourced packets?
-
Ignacio Vazquez-Abrams over 13 yearsThe one that makes sure that one of the addresses in the packet is not of the local network.
-
RalfFriedl almost 5 yearsThis will filter out the return packets addressed to the machine.
-
Scott - Слава Україні almost 5 yearsWell, the question says “I'd only like to see traffic that is destined for the internet” (emphasis added). In fact, it mentions “destined for the internet” twice. So this answer might be what the OP wants.