I'm trying to write a filter to use with WinDivert, to block all TCP connections, except for an IP.
When I write
outbound && ip && (tcp.DstPort == 80 || tcp.DstPort == 443) && tcp.PayloadLength> 0
it blocks all connections. But when I write
outbound && ip &&
(tcp.DstPort == 80 || tcp.DstPort == 443) &&
tcp.PayloadLength> 0 && ip.src! = 91.198.174.192
everything is still blocked and the IP address is not open.
I think my filter is not correct, and any help will be appreciated.
Thank you
the property ip.src is not exists, but ip.SrcAddr (case sensitive!).
but if the filter id addressed to outbound, the may mean the destination address (ip.DstAddr), so you need type:
outbound && ip.DstAddr != x.x.x.x
TIP: you can check the expression using the "netfilter.exe" tool, download from here (extract the folder, and open the command line in the x86_64 or x86 folder, and run flowed by a string argument that represent the filter expression)