While working with users, I’ve noticed scenarios where filtering traffic based on a CIDR or an IP range just isn’t enough control. I wanted to explore another option—wildcard netmask filters! Let’s walk through how they work, and how they can be applied.

Understanding the Wildcard Filter

The wildcard filter is similar to variable-length subnets. To make the most of these filters, we’ll need a decent understanding of what a netmask is. I think it’s safe to assume we’ve all worked with netmasks in the past, but a quick review never hurts!

IP addresses are 32 bits long, printed as 32 binary digits each. Typically IPs are referenced in the byte format X.X.X.X. Each X contains 8 bits. For example the IP address 192.168.1.1 can also be represented as 11000000.10101000.00000001.00000001

To break that down, let’s walk through converting the above IP from decimal notation to binary.

Byte value reference chart:

128         64           32           16           8              4              2              1

When we’re going from decimal notation to binary, we’ll work from left to right through each octet. Note that the byte reference chart has 8 digits, making an octet. Working with the IP 192.168.1.1, we’ll ask;

    • Does 128 go into 192? Yes—with a remainder of 64
      • Therefore our first bit will be turned on
    • Does 64 go into 64? Yes—with a remainder of 0
      • So we’ll turn on our second bit

Since we’re left with no remainders, we know the following 6 bits are turned off. The first octet’s binary value is 11000000. If we continue through the remaining octets, we’ll end up with the binary value of 11000000.10101000.00000001.00000001

Using the Wildcard Filter

So now that we’ve revisited some old theory, how can we apply this to our wildcard network filters? The wildcard filters make use of the same logic, with the exception that they are ignoring the bits that are turned on.

Let’s look at a quick example:

Using the wildcard filter

In this example, I have a network that I want to filter on, which is 10.0.11.3. The wildcard mask I apply is essentially telling Scrutinizer, “ignore the bits that are turned on—or red—and show me other networks like this one (while excluding the addresses I don’t care to see).”

A few examples of the hosts this filter would return are;

  • 10.1.11.51
  • 10.30.11.3
  • 10.27.11.3
  • 10.26.15.35
  • 10.26.11.3
  • 10.50.20.3

These filter types can provide a lot of granularity in narrowing our search results, outside of the traditional CIDR notation or the semi-tedious work of excluding multiple ranges.

Applying Filters

Let’s take a look at how to apply these filters in Scrutinizer.

From within the reporting interface, click the ‘Add’ button to add a filter. Then choose ‘wildcard mask’:

Scrutinizer filters

Now we can add our required fields and start isolating segments of our network quickly and easily! Note that for more control, these filters can also be applied to just the source/destination or a combination of the two.

Wildcard filter in Scrutinizer

To gain full end-to-end visibility over your network, plus a robust and powerful reporting engine, download and try Scrutinizer for free here!

If you have any questions on filtering functionality, don’t hesitate to contact our support team, or schedule a product overview here.

Jeff Morrison

Jeff Morrison

Jeff Morrison is a Solutions Engineer here at Plixer. He is responsible for travelling on-site to provide assistance with initial deployment, setup and design, in-depth training, and custom configurations. While in the office Jeff is responsible for providing technical assistance on initial overviews, providing training for internal resources, and researching integrations with 3rd-party vendors. When not on the road travelling, he enjoys playing music, riding motorcycles, video games, and spending time with friends and family.

Related