reference outer most eth.type

asked 2020-06-22 16:34:15 +0000

aaronf
102 ●1 ●3

updated 2020-06-22 17:02:03 +0000

Is there any way to reference the outer most eth.type value in a display filter?

e.g. we are filtering on eth.type == 0x0800 (ipv4) packets. Because some packets are encapsulated with another ethernet header the display filter is matching on both outer and inner ethernet frames. Our specific goal is to filter on the outer most ethernet frame.

heres the display filter

eth.type == 0x0800 and ip.proto == 6 and tcp.option_kind==5

Example packet in question

Frame 332259: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits)
Ethernet II, Src: JuniperN_bd:97:d9 (7c:e2:ca:bd:97:d9), Dst: Optium_80:00:16 (00:0e:52:80:00:16)
    Destination: Optium_80:00:16 (00:0e:52:80:00:16)
    Source: JuniperN_bd:97:d9 (7c:e2:ca:bd:97:d9)
    Type: IPv4 (0x0800)
    Frame check sequence: 0xd06b73f1 [unverified]
    [FCS Status: Unverified]
Internet Protocol Version 4, Src: 61.197.167.247, Dst: 130.128.255.152
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 112
    Identification: 0xc804 (51204)
    Flags: 0x0000
    Fragment offset: 0
    Time to live: 57
    Protocol: UDP (17)
    Header checksum: 0x51a3 [validation disabled]
    [Header checksum status: Unverified]
    Source: 61.197.167.247
    Destination: 130.128.255.152
User Datagram Protocol, Src Port: 1701, Dst Port: 9348
Layer 2 Tunneling Protocol
Point-to-Point Protocol
PPP Bridging Control Protocol Bridged PDU
Ethernet II, Src: AlliedTe_92:65:06 (00:1a:eb:92:65:06), Dst: Toshiba_3b:0b:88 (b8:6b:23:3b:0b:88)
    Destination: Toshiba_3b:0b:88 (b8:6b:23:3b:0b:88)
    Source: AlliedTe_92:65:06 (00:1a:eb:92:65:06)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 230
Internet Protocol Version 4, Src: 172.217.25.232, Dst: 192.168.230.72
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 52
    Identification: 0x408b (16523)
    Flags: 0x0000
    Fragment offset: 0
    Time to live: 56
    Protocol: TCP (6)
    Header checksum: 0xd486 [validation disabled]
    [Header checksum status: Unverified]
    Source: 172.217.25.232
    Destination: 192.168.230.72
Transmission Control Protocol, Src Port: 443, Dst Port: 50112, Seq: 1, Ack: 2, Len: 0
    Source Port: 443
    Destination Port: 50112
    [Stream index: 18591]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    Sequence number (raw): 450123849
    [Next sequence number: 1    (relative sequence number)]
    Acknowledgment number: 2    (relative ack number)
    Acknowledgment number (raw): 1913214286
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x010 (ACK)
    Window size value: 369
    [Calculated window size: 369]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x7bfa [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), SACK
        TCP Option - No-Operation (NOP)
        TCP Option - No-Operation (NOP)
        TCP Option - SACK 1-2
            Kind: SACK (5)
            Length: 10
            left edge = 1 (relative)
            right edge = 2 (relative)
            [TCP SACK Count: 1]
    [SEQ/ACK analysis]
    [Timestamps]

Edit 1:

Looking at this some more, the display filter is working ... (more)

edit retag flag offensive close merge delete

Comments

Related to your original question - request to handle display filter occurence

Chuckc ( 2020-06-22 18:33:40 +0000 )edit

add a comment

answered 2020-06-23 06:21:14 +0000

Jaap

13720 ●683 ●115

Wireshark has no concept of 'inner' and 'outer' in display filters. It regards the whole packet as a set of fields with values when processed through the display filter system.

edit flag offensive delete link

Comments

Thanks, sounds need a different approach

aaronf ( 2020-06-23 12:57:02 +0000 )edit

And the bug 3791 proposal, adding ordinal numbers to fields, may not be enough to do the trick; see my latest comment on the bug.

Guy Harris ( 2020-06-24 04:39:55 +0000 )edit

looks like we can do it this way

frame.protocols == eth:ethertype:ip:tcp

aaronf ( 2020-06-24 08:10:56 +0000 )edit

a better way is partial string

frame.protocols ~ eth:ethertype:ip:tcp

otherwise it only counts tcp packets it cant decode.

aaronf ( 2020-06-24 09:20:06 +0000 )edit

perhaps if you can do some minior regex like searching, you could do some pretty interesting filtering

e.g

frame.protocols.== *.ip:tcp:*

or 

frame.protocols == eth:ethertype:ip:*:tcp:*

might be an interesting way to deal with encapsulation?

aaronf ( 2020-06-24 09:29:44 +0000 )edit

see more comments

reference outer most eth.type

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

reference outer most eth.type edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

reference outer most eth.type