I have captured thousand of ERSPAN packets which are in the form of IP IP tunnels. I would like to filter the packets which have ttl == 1 on inner IP header. But wireshark filters on the outer header as well. Is there any way to create filter for for the inside header ONLY. THanks Umair asked 22 Nov '12, 01:57  umairali |
One Answer:
I don't think there is a normal IP TTL filter that can be applied selectively on only just one of the IP layers. But maybe you can work with an offset filter, for example "frame[46] == 1" (if offset 46 is the byte where the TTL of the inner IP layer is found - the offset needs to be written as a decimal value). This approach requires all frames to have the same header length before the IP layer you want to filter on, because otherwise the offset are not always the same. answered 22 Nov '12, 04:32  Jasper ♦♦ edited 22 Nov '12, 04:33 |
Thanks Jasper ... I get the point. Probably, I have to add IP to avoid arp, and other non IP packets etc
frame[72] == 1 && ip
[i converted your answer to a comment to make it easier to tell question and answers apart]
yes, adding "ip" is probably a good idea. BTW, if you like my answer you can accept it with the checkmark button on the left :-)