04-10-2017 10:47 AM
04-10-2017 11:01 AM
for port ranges, you can combine the geq (greater than or equal to) and leq (less than or equal to) with an AND operator, e.g:
(port.dst geq 53) and (port.dst leq 442)
will show DNS and HTTP but not HTTPS or SSH requests
for IP, I believe your only option is to use CIDR notation, but you can get as specific as you need to with the subnet mask.
for example,
( addr.src in 10.0.0.0/29 )
will show IPs in the range of 10.0.0.0 - 10.0.0.7 (though .0 is the network and .7 is the broadcast in this case, so those 2 shouldn't show up in results)
04-10-2017 11:03 AM - edited 04-10-2017 11:05 AM
*edit* Woops, @bradk14 beat me to it!
If you're referring to one of the tabs/pages that has access to the filter builder then I'd do something like this:
( addr.src in 192.168.1.0/24 ) and ((port.dst geq 60) and (port.dst leq 450))
This is just an example that does both functions but you could easily break that up. This basically searches for everything between 192.168.1.0-192.168.1.255 that goes to a destination port between and including 60 through 450.
With the ports you just use geq and leq ("greater than or equal to" and "less than or equal to" respectively).
With the IP I don't think you can use those same operators... it looks just just be a "in" or "not in" and it won't accept a range (192.168.1.0-192.168.1.255) so you do it as a subnet instead (192.168.1.0/24).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
