Ask Your Question
0

List of valid "ip proto" by name for capture filter expression

asked 2026-05-07 04:42:09 +0000

cuuld gravatar image

Hi,

We have a custom in-house pcap tool that has a mapping of protocol (numeric) values to names, and the internal tool supports specifying the protocols by name in capture filter expression, so one can do that instead of providing the protocol number in hex or decimal for the capture filter expression.

I tried same on tcpdump and wireshark but among the names, the only filter expression that works there is "ip proto l2tp", I didn't check that actual captured packets are matching that as I don't have the setup to generate that traffic either, but the tool didn't fail complaining about invalid filter.

The name mapping of the in-house tool has

for ethertype protocols:

  • ip
  • ip4
  • ip6
  • arp
  • lldp
  • slow
  • pae

and for ip protocols:

  • icmp
  • igmp
  • tcp
  • udp
  • esp
  • ah
  • icmp6
  • vrrp
  • l2tp

So I'm just curious is l2tp the only one that will work for tcpdump and wireshark, or are there other names (even ones the in-house tool hasn't mapped) that work that I'm just not aware of?

Or is tcpdump and wireshark acceptance of the l2tp string value a bug instead?

edit retag flag offensive close merge delete

Comments

I tried same on tcpdump and wireshark but among the names, the only filter expression that works there is "ip proto l2tp",

How are you specifying the filter to Wireshark? Are you mixing capture and display filters?

Wireshark dfref - l2tp is valid in a Wireshark display filter.
Wireshark man pages -> pcap-filter
l2tp is not in the list of valid protocols for a capture filter.

C:\>wireshark -f ip proto l2tp

wireshark: Invalid argument: l2tp

Usage: wireshark [options] ... [ <infile> ]
Chuckc gravatar imageChuckc ( 2026-05-07 13:49:17 +0000 )edit

Related question: How to set capture-filter for l2tp control packets

Chuckc gravatar imageChuckc ( 2026-05-07 13:56:07 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2026-05-07 22:06:43 +0000

SYN-bit gravatar image

updated 2026-05-07 22:07:10 +0000

I tried some of the protocols in your list with both the form <protocol-name and ip proto <protocol-name>. It seems that they are mutually exclusive. Looking at the BPF manpage, it turns out you need to escape the protocol names that also exist as a proto qualifier with a backslash:

ip proto protocol

True if the packet is an IPv4 packet of protocol type protocol. For this primitive it does not matter whether the IPv4 packet is fragmented or not. Protocol can be a number or one of the names recognized by getprotobyname(3), for example: ah, esp, eigrp (only in Linux with glibc, FreeBSD, NetBSD, DragonFly BSD, macOS, and QNX), icmp, igmp, igrp (only in Haiku and OpenBSD), pim, sctp, tcp, udp or vrrp. Note that most of these example identifiers are also keywords and must be escaped via backslash (). Note that this primitive does not chase the protocol header chain.

So ip proto \icmp does indeed work. As does ip proto \l2tp.

When doing this in a terminal window on the CLI, the shell might also eat up the \, so you might need to escape the \ with a \ resulting in ip proto \\icmp or use single quotes (ip proto '\l2tp')to prevent the escaping by the shell.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2026-05-07 04:42:09 +0000

Seen: 19 times

Last updated: 7 hours ago

Related questions

How to fix "The capture session could not be initiated on interface" (You don't have permission to capture on that device)

BPF boolean logic

How to filter packets with BPF in a C++ program when they're not read from a live capture or pcap/pcap-ng file?

BPF permission denied when not connected to an OpenVPN connection

BPF Byte filter for VLAN-IPv6-UDP stack

Capture Filter not working due to incorrect BPF?