 | 1 | initial version |
An often overlooked aspect of filtering is IP fragments. While filters such as those provided by @bubbasnmp and @jim-aragon (e.g., ip && !(tcp || udp || icmp) will exclude IPv4 packets carrying either TCP, UDP or ICMP payloads, it will only do so in cases where the IP packets are not fragmented or for the 1st fragment when Reassemble fragmented IPv4 datagrams is disabled or for the last (reassembled) packet when is Reassemble fragmented IPv4 datagrams enabled.
If you want to filter out the IP fragments associated with the TCP, UDP or ICMP packets as well, then a better filter is: ip and !(ip.proto == 1 or ip.proto == 6 or ip.proto == 17).
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
