Ask Your Question
0

Network Filter on Encapsulated IP Header

asked 2023-12-11 15:02:17 +0000

I'm new to Wireshark and hoping to learn. I have a PCAP taken from a VMware source using a GRE / ERSPAN III. I'm trying to filter on the source IP address (this part is fine) and filter to hide the corporate network 10.0.0.0/8 from the inner IP header.

I am able to filter on the destination IP, but when I filter something like "!ip.dst eq 10.0.0.0/8" then there are no packets in my view. My assumption is because this network is used in the parent header to my capture host.

I have seen some examples in my search of how to use an offset to filter on the inner header, but not only have I not been able to get that to work, but I need to filter this whole network range rather than just 1 IP or a list of IPs.

All of my packets have these layers in Wireshark before the 2nd inner IPv4 Header.

  • Frame
  • Ethernet II
  • Internet Protocol Version 4
  • Generic Routing Encapsulation (ERSPAN III)
  • Encapsulated Remote Switch Packet ANalysis Type III
  • Ethernet II
  • Internet Protocol Version 4

Can anyone help fill in what I'm missing here?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2023-12-11 15:18:16 +0000

Chuckc gravatar image

updated 2023-12-11 15:18:42 +0000

If you're using a somewhat current version of Wireshark, look at filtering using a "layer operator":
What’s New In Wireshark 4.0?

WSUG: 6.4.5. The Layer Operator

edit flag offensive delete link more

Comments

Hey that worked perfectly!!! Thank you so much. I've been racking my brain around this for like 2 / 3 hours straight. I really appreciate your help.

otj-learning gravatar imageotj-learning ( 2023-12-11 15:38:29 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-12-11 15:02:17 +0000

Seen: 615 times

Last updated: Dec 11 '23