Wireshark 4.4’s IP Address Functions, (Mon, Sep 9th)

Category :

SANS Full Feed

Posted On :

New IP address functions have been added in Wireshark 4.4 (if you use Wireshark on Windows, there’s a bug in release 4.4.0: the DLL with these functions is missing, it will be included in release 4.4.1; all is fine with Linux and Mac versions of Wireshark).

These are the functions:

They are explained in the Wireshark filter manual under “Functions”.

Function ip_rfc1918, for example, returns True when the argument of this function is a private use IPv4 address. It can be used as a display filter, like this:

These functions can also be used in custom columns, like function ip_special_name that returns the IP special-purpose block name as a string:

To summarize: these functions were introduced with Wireshark release 4.4, but this will not work only if you are using Windows version 4.4.0. I used release candicate 4.4.1 to take these screenshots, as the missing dll (ipaddress.dll) is present in that package.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.