Wireshark-users: Re: [Wireshark-users] a question on capture filter
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 24 Sep 2012 12:58:47 -0700
On Sep 24, 2012, at 12:32 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

> Try
> 
> 	host 138.56.169.25 and (not host 138.52.69.45) and (not udp port ntp) and (not igmp)

And "host XXX" also checks for ARP packets (by looking at the protocol source and destination addresses); "ip host XXX" checks only the IPv4 source and destination addresses, so

	ip host 138.56.169.25 and (not ip host 138.52.69.45) and (not udp port ntp) and (not igmp)