How can I use the display filter in Network Monitor to include a protocol I specify that excludes address ranges I trust?

Folks -

I'm interested in doing a capture using Network Monitor 3.4 where I'd like to see ICMP/PING traffic that is destined for addresses I do not trust.

So for instance... let us say that I trust segment 192.168.x.x/24 and I trust 167.80.x.x/24 but I want to see ICMP traffic destined for *ALL ADDRESS THAT DO NOT FALL INTO THOSE SEGMENTS*... how can I do this?

Sadly, Network Monitor doesn't support simple wildcarding.  So I'd like help crafting a query.  I have a server that is attempting to ping strange addresses and in my enterprise, I only have a few trusted segments.  I want to find where it's going above and beyond my trusted segments.

Hopefully this makes sense.  Thanks in advance.
Who is Participating?
amendalaConnect With a Mentor Author Commented:
I am insistent on using Network Monitor.  :)  I personally find WireShark to be quite a disaster and honestly negligibly more more powerful than Network Monitor - at least for what I do.  This particular filter though is one I've never had to define so it stumped me for a bit.  I do very much appreciate your reply, thank you for taking the time to write.

The following filter is what I used (with my real segment addresses removed):

!(IPv4.DestinationAddress > AND IPv4.DestinationAddress <
!(IPv4.DestinationAddress > AND IPv4.DestinationAddress <

This removes the most common noise and excludes my "trusted" segments.  It shows me precisely what I'm after.  If I wanted to see ICMP traffic only, I could add "AND ICMP" to the end.
I hope you're not too partial to M$ free tools.  :^p

Though Network Monitor has its place, it takes an excessive amount of work to accomplish what other products offer in a few clicks of a button. Network Monitor has limited capabilities.  

I'd like to suggest using the open-source/free edition industry standard WireShark

Here's the filter to use with WireShark

ip.src== and ip.dst== and ip.src== and  ip.dst==

Most filters can be created on the fly!

WireShark's Filters can be found HERE.

If you're still insistent on using Network Monitor, I will assist with the solution.
amendalaAuthor Commented:
Answered my own question.  The filter I requested, I provided the text for.
amendalaAuthor Commented:
Additionally, if further "trusted" segments needed to be added, the last two lines can be repeated over and over again with other segments.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.