Have you ever tried to remove records in wireshark to and from a specific IP address? I played with funneling traffic from a program trough a proxy server and wanted to check if the program sends any requests ignoring the proxy settings. This is a simple task for tools like wireshark. Start it, hide every record going through the proxy and check if there is anything else.
TL/DR: Use !(ip.addr == 10.1.2.200) if you want to hide packets from or to
10.1.2.200.
The key is hiding every record going through the proxy with IP address
10.1.2.200. Wiresharkâs filter
expression provides the attribute ip.addr corresponding to the source or
destination address of IP packets. This is where it gets tricky. The expression
ip.addr != 10.1.2.200
will not work. Since ip.addr corresponds to source or destination address,
the above expression translates to
Show packet if:
(source is not 10.1.2.200) or (destination is not 10.1.2.200)
Only packets from the proxy sent to the proxy itself are filtered out. These packets will not reach my computer anyway. So the above filter is basically blank.
The solution is to select all the packet that we would like to filter out and then invert the expression:
!(ip.addr == 10.1.2.200)
which translates to
Show packet if:
not ((source is 10.1.2.200) or (destination == 10.1.2.200))
or equivalently
Show packet if:
(source is not 10.1.2.200) and (destination is not 10.1.2.200))
This is exactly what we need to hide packets from or to an IP address.
This might also interest you