Wireshark mailing list archives
Re: Filtering on fields in tunnel headers
From: Jaap Keuter <jaap.keuter () xs4all nl>
Date: Wed, 12 Sep 2012 09:01:38 +0200
Hi,Currently there's no way to filter on ip{inner}/ip{outer} in a packet. If it's ip it's ip it's ip; s/ip/<your proto>/g. That can be a strength (like catching ICMP) and a weakness (like in tunnels). This would require some fundamental dissection and display filter work.
Thanks, Jaap On 09/11/2012 11:30 PM, Martin Isaksson wrote:
Hi all! If I have a packet with protocols like eth:vlan:ip:udp:gtp:ip:tcp, is there a way to filter in one of the IP headers only? I know I can do frame[22:2] == D4:DD (here IP ID of first IP header), but it's not very dynamic, so if for some reason the bytes are in different places, this would fail. Another work-around I've tried is to list one of the IP IDs with tshark and grep. Thanks, Martin
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Filtering on fields in tunnel headers Martin Isaksson (Sep 11)
- Re: Filtering on fields in tunnel headers Jaap Keuter (Sep 12)
- Re: Filtering on fields in tunnel headers Sake Blok (Sep 12)
- Re: Filtering on fields in tunnel headers Martin Isaksson (Sep 13)
- Re: Filtering on fields in tunnel headers Sake Blok (Sep 12)
- Re: Filtering on fields in tunnel headers Jaap Keuter (Sep 12)