1 | initial version |
E.g. if I filter "tcp", is it actually filtering ip.proto==0x06?
No.
When dissecting packets, if it's doing so in order to display the packet details, or to test a packet-matching expression (called a "display filter", but it's used for purposes other than filtering the display, such as coloring packets), Wireshark builds a "protocol tree" with items for every field in the packet - and for items that include multiple fields.
Most of those fields have names, which means they can be tested in a packet-matching expression. If they have a value, the value can be tested, for example, ip.proto==0x06
tests whether there is an instance of the field named ip.proto
that has the value 0x6.
(Note that there could be more than one instance of a field; if there's some protocol running over IPv4 that provides a "pseudo-wire" that transports Ethernet packets, and the Ethernet packet is an IPv4 packet, there will be two IPv4 headers in the packet, and thus two instances of ip.proto
; if one of them is 0x06, that expression will match, even though the other one might not be 0x06.)
Even if the field doesn't have a name, a packet-matching expression can test whether it's present in a protocols. A filter ip,proto
by itself will test whether the packet has that field.
Protocols also have "fields" associated with them; the field named ip
refers to the IPv4 protocol, the field named ipv6
refers to the IPv6 protocol, and the field named tcp
refers to the TCP protocol, for example.
So, for a TCP packet, the protocol tree might look like:
Frame 16: Bytes bytes on wire (Bytes*8 bits), Bytes bytes captured (Bytes*8 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Month Day, Year HH:MM:SS.FFFFFFFF TZ
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 917071640.531000000 seconds
[Time delta from previous captured frame: 0.329000000 seconds]
[Time delta from previous displayed frame: 0.329000000 seconds]
[Time since reference or first frame: 2.661000000 seconds]
Frame Number: 16
Frame Length: Bytes bytes (Bytes*8 bits)
Capture Length: Bytes bytes (Bytes*8 bits)
[Frame is marked: False]
[Frame is ignored: False]
File Offset: Offset-in-decimal (Offset-in-hex)
[Protocols in frame: eth:ethertype:ip:tcp:{more protocols}]
Ethernet II, Src: XX:XX:XX:XX:XX:XX, Dst: YY:YY:YY:YY:YY:YY
Destination: YY:YY:YY:YY:YY:YY
Address: YY:YY:YY:YY:YY:YY
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: XX:XX:XX:XX:XX:XX
Address: XX:XX:XX:XX:XX:XX
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: XXX.XXX.XXX.XXX, Dst: YYY.YYY.YYY.YYY
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x64 (DSCP: Unknown, ECN: Not-ECT)
0110 01.. = Differentiated Services Codepoint: Unknown (25)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: IP-length
Identification: ID-in-hex (ID-in-decimal)
Flags: 0x40, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: TTL
Protocol: TCP (6)
Header checksum: Checksum-in-hex [validation disabled]
[Header checksum status: Unverified]
Source: XXX.XXX.XXX.XXX
Destination: YYY.YYY.YYY.YYY
Transmission Control Protocol, Src Port: Src-Port, Dst Port: Dst-Port, Seq: 1, Ack: 1, Len: Segment-Len
Source Port: Src-Port
Destination Port: Dst-Port
[Stream index: 0]
[TCP Segment Len: Segment-Len]
Sequence number: 1 (relative sequence number)
Sequence number (raw): SEQ
[Next sequence number: Segment-Len+1 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Acknowledgment number (raw): ACK
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window size value: 8760
[Calculated window size: 8760]
[Window size scaling factor: -1 (unknown)]
Checksum: 0xdcb3 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[Bytes in flight: Segment-Len]
[Bytes sent since last PSH flag: Segment-Len]
[Timestamps]
[Time since first frame in this TCP stream: 0.000000000 seconds]
[Time since previous frame in this TCP stream: 0.000000000 seconds]
TCP payload (Segment-Len bytes)
...
The "Transmission Control Protocol, Src Port: Src-Port, Dst Port: Dst-Port, Seq: 1, Ack: 1, Len: Segment-Len" line is for the field named tcp
.
So the packet-matching expression tcp
tests whether Wireshark found any TCP in the packet, regardless of whether it ran on top of IPv4, IPv6, or some other protocol.
Another example is something like ipv6 vs ip.version==6
ipv6
tests whether Wireshark found any IPv6 in the packet; ip.version==6
tests whether Wireshark found any field named ip.version
, with a value of 6. ip.version
is the version field of the IPv4 header, so it would have the value 6 only if, for example, you had an Ethernet packet with an Ethernet type of 0x0800, meaning IPv4, but the packet was an IPv6 packet. The version field of the IPv6 header has a different name - it's ipv6.version
, so for an IPv6 packet, the packet-matching expression ipv6.version == 6
should match.