Hi,
I am trying to find an intermittent duplicate IP on my network
Lots of articles reference the capture filter arp.duplicate-address-frame (although some say it's a display filter???)
When click on the capture filter bookmark (wireshark version 4.4.2) I see no such filter
Do I need to download this from somewhere?
Where can I find it?
Thanks
Display filters.
Display Filter Reference: Address Resolution Protocol
arp.duplicate-address-detected
Duplicate IP address configured Label 1.0.0 to 4.4.2
arp.duplicate-address-frame
Frame showing earlier use of IP address Frame number 1.0.0 to 4.4.2
There are examples in The Ultimate PCAP v20241101.pcapng
Thanks
I don't have enough points to upload a screenshot (whose idea was that!)
This are the only filters I get in the dfilters file in appdata
"Ethernet address 00:00:5e:00:53:00" eth.addr == 00:00:5e:00:53:00
"Ethernet type 0x0806 (ARP)" eth.type == 0x0806
"Ethernet broadcast" eth.addr == ff:ff:ff:ff:ff:ff
"No ARP" not arp
"IPv4 only" ip
"IPv4 address 192.0.2.1" ip.addr == 192.0.2.1
"IPv4 address isn't 192.0.2.1" ip.addr != 192.0.2.1
"IPv6 only" ipv6
"IPv6 address 2001:db8::1" ipv6.addr == 2001:db8::1
"TCP only" tcp
"UDP only" udp
"Non-DNS port" !(udp.port == 53 || tcp.port == 53)
"TCP or UDP port is 80 (HTTP)" tcp.port == 80 || udp.port == 80
"HTTP" http
"No ARP and no DNS" not arp and not dns
"Non-HTTP and non-SMTP to ...WSUG: 6.3. Filtering Packets While Viewing
type the protocol name in the display filter toolbar of the Wireshark window
Or in this case, one of the field names:arp.duplicate-address-detectedarp.duplicate-address-frame
@Lateralleap The upload restrictions are unfortunately due to spammer abuse.
Thanks
What I missed was that it is a Display Filter Expression NOT a Display Filter
I am amazed none of the posts I read mentioned this but clearly it's a wireshark rookie mistake :-)
According to the display filter reference for ARP, the field arp.duplicate-address-frame is present in all versions, 1.0.0 to 4.4.2
OK, many thanks, I have sorted it
I was clicking on the Display Filters menu item
I should have been clicking on the Display Filter Expression menu item
There I found the field name: arp.duplicate-address-frame
Thanks for your help
The Display Filters menu item gives access to a list of named, pre-built, display filters that can be amended as required. See the User Guide section on Defining and Saving Filters.
The Display Filters Expression menu item shows all display filters, allowing the user to "build" a filter by clicking a field and adding conditions. See the User Guide section on The “Display Filter Expression” Dialog Box.
You can also type directly into the display filter text box just below the menu bar that will show "autocomplete" options as you type.
Asked: 2024-12-03 13:05:45 +0000
Seen: 22 times
Last updated: 18 hours ago
