Ask Your Question
0

How to find out total number of ip4 packets (that are not TCP,UDP or ICMP)

asked 2020-04-25 14:45:47 +0000

gamma gravatar image

updated 2020-04-25 14:46:30 +0000

The header basically says it all. I want to find out the total number of ipv4 packets in a pcap file, that are not TCP,UDP or ICMP. What is the best way to do so?

edit retag flag offensive close merge delete

3 Answers

Sort by » oldest newest most voted
1

answered 2020-04-25 15:02:40 +0000

Chuckc gravatar image

In the Wireshark Gui?
Display filter: ip.version==4 and !tcp and !udp and !icmp
Then check Displayed: in the status bar lower right.

edit flag offensive delete link more

Comments

Thanks for the help! It worked fine.

gamma gravatar imagegamma ( 2020-04-25 15:08:57 +0000 )edit
1

answered 2020-04-25 15:01:01 +0000

Jim Aragon gravatar image

Enter this display filter:

ip && !(tcp || udp || icmp)

and then read the number of displayed packets in the status bar.

edit flag offensive delete link more
0

answered 2020-04-27 15:58:38 +0000

cmaynard gravatar image

An often overlooked aspect of filtering is IP fragments. While filters such as those provided by @bubbasnmp and @jim-aragon (e.g., ip && !(tcp || udp || icmp) will exclude IPv4 packets carrying either TCP, UDP or ICMP payloads, it will only do so in cases where the IP packets are not fragmented or for the 1st fragment when Reassemble fragmented IPv4 datagrams is disabled or for the last (reassembled) packet when is Reassemble fragmented IPv4 datagrams enabled.

If you want to filter out the IP fragments associated with the TCP, UDP or ICMP packets as well, then a better filter is: ip and !(ip.proto == 1 or ip.proto == 6 or ip.proto == 17).

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-04-25 14:45:47 +0000

Seen: 1,579 times

Last updated: Apr 27 '20