The header basically says it all. I want to find out the total number of ipv4 packets in a pcap file, that are not TCP,UDP or ICMP. What is the best way to do so?
In the Wireshark Gui?
Display filter: ip.version==4 and !tcp and !udp and !icmp
Then check Displayed: in the status bar lower right.
Thanks for the help! It worked fine.
Enter this display filter:
ip && !(tcp || udp || icmp)and then read the number of displayed packets in the status bar.
An often overlooked aspect of filtering is IP fragments. While filters such as those provided by @bubbasnmp and @jim-aragon (e.g., ip && !(tcp || udp || icmp) will exclude IPv4 packets carrying either TCP, UDP or ICMP payloads, it will only do so in cases where the IP packets are not fragmented or for the 1st fragment when Reassemble fragmented IPv4 datagrams is disabled or for the last (reassembled) packet when is Reassemble fragmented IPv4 datagrams enabled.
If you want to filter out the IP fragments associated with the TCP, UDP or ICMP packets as well, then a better filter is: ip and !(ip.proto == 1 or ip.proto == 6 or ip.proto == 17).
Asked: Apr 25 '0
Seen: 1,703 times
Last updated: Apr 27 '20
