 | 1 | initial version |
Is there any way to reference the outer most eth.type value in a display filter?
e.g. we are filtering on eth.type == 0x0800 (ipv4) packets. Because some packets are encapsulated with another ethernet header the display filter is matching on both outer and inner ethernet frames. Our specific goal is to filter on the outer most ethernet frame.
Is there any way to reference the outer most eth.type value in a display filter?
e.g. we are filtering on eth.type == 0x0800 (ipv4) packets. Because some packets are encapsulated with another ethernet header the display filter is matching on both outer and inner ethernet frames. Our specific goal is to filter on the outer most ethernet frame.
heres the display filter
eth.type == 0x0800 and ip.proto == 6 and tcp.option_kind==5
Example packet in question
Frame 332259: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits) Ethernet II, Src: JuniperN_bd:97:d9 (7c:e2:ca:bd:97:d9), Dst: Optium_80:00:16 (00:0e:52:80:00:16) Destination: Optium_80:00:16 (00:0e:52:80:00:16) Source: JuniperN_bd:97:d9 (7c:e2:ca:bd:97:d9) Type: IPv4 (0x0800) Frame check sequence: 0xd06b73f1 [unverified] [FCS Status: Unverified] Internet Protocol Version 4, Src: 61.197.167.247, Dst: 130.128.255.152 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 112 Identification: 0xc804 (51204) Flags: 0x0000 Fragment offset: 0 Time to live: 57 Protocol: UDP (17) Header checksum: 0x51a3 [validation disabled] [Header checksum status: Unverified] Source: 61.197.167.247 Destination: 130.128.255.152 User Datagram Protocol, Src Port: 1701, Dst Port: 9348 Layer 2 Tunneling Protocol Point-to-Point Protocol PPP Bridging Control Protocol Bridged PDU Ethernet II, Src: AlliedTe_92:65:06 (00:1a:eb:92:65:06), Dst: Toshiba_3b:0b:88 (b8:6b:23:3b:0b:88) Destination: Toshiba_3b:0b:88 (b8:6b:23:3b:0b:88) Source: AlliedTe_92:65:06 (00:1a:eb:92:65:06) Type: 802.1Q Virtual LAN (0x8100) 802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 230 Internet Protocol Version 4, Src: 172.217.25.232, Dst: 192.168.230.72 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 52 Identification: 0x408b (16523) Flags: 0x0000 Fragment offset: 0 Time to live: 56 Protocol: TCP (6) Header checksum: 0xd486 [validation disabled] [Header checksum status: Unverified] Source: 172.217.25.232 Destination: 192.168.230.72 Transmission Control Protocol, Src Port: 443, Dst Port: 50112, Seq: 1, Ack: 2, Len: 0 Source Port: 443 Destination Port: 50112 [Stream index: 18591] [TCP Segment Len: 0] Sequence number: 1 (relative sequence number) Sequence number (raw): 450123849 [Next sequence number: 1 (relative sequence number)] Acknowledgment number: 2 (relative ack number) Acknowledgment number (raw): 1913214286 1000 .... = Header Length: 32 bytes (8) Flags: 0x010 (ACK) Window size value: 369 [Calculated window size: 369] [Window size scaling factor: -1 (unknown)] Checksum: 0x7bfa [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), SACK TCP Option - No-Operation (NOP) TCP Option - No-Operation (NOP) TCP Option - SACK 1-2 Kind: SACK (5) Length: 10 left edge = 1 (relative) right edge = 2 (relative) [TCP SACK Count: 1] [SEQ/ACK analysis] [Timestamps]
Is there any way to reference the outer most eth.type value in a display filter?
e.g. we are filtering on eth.type == 0x0800 (ipv4) packets. Because some packets are encapsulated with another ethernet header the display filter is matching on both outer and inner ethernet frames. Our specific goal is to filter on the outer most ethernet frame.
heres the display filter
eth.type == 0x0800 and ip.proto == 6 and tcp.option_kind==5
Example packet in question
Is there any way to reference the outer most eth.type value in a display filter?
e.g. we are filtering on eth.type == 0x0800 (ipv4) packets. Because some packets are encapsulated with another ethernet header the display filter is matching on both outer and inner ethernet frames. Our specific goal is to filter on the outer most ethernet frame.
heres the display filter
eth.type == 0x0800 and ip.proto == 6 and tcp.option_kind==5
Example packet in question
Frame 332259: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits)
Ethernet II, Src: JuniperN_bd:97:d9 (7c:e2:ca:bd:97:d9), Dst: Optium_80:00:16 (00:0e:52:80:00:16)
Destination: Optium_80:00:16 (00:0e:52:80:00:16)
Source: JuniperN_bd:97:d9 (7c:e2:ca:bd:97:d9)
Type: IPv4 (0x0800)
Frame check sequence: 0xd06b73f1 [unverified]
[FCS Status: Unverified]
Internet Protocol Version 4, Src: 61.197.167.247, Dst: 130.128.255.152
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 112
Identification: 0xc804 (51204)
Flags: 0x0000
Fragment offset: 0
Time to live: 57
Protocol: UDP (17)
Header checksum: 0x51a3 [validation disabled]
[Header checksum status: Unverified]
Source: 61.197.167.247
Destination: 130.128.255.152
User Datagram Protocol, Src Port: 1701, Dst Port: 9348
Layer 2 Tunneling Protocol
Point-to-Point Protocol
PPP Bridging Control Protocol Bridged PDU
Ethernet II, Src: AlliedTe_92:65:06 (00:1a:eb:92:65:06), Dst: Toshiba_3b:0b:88 (b8:6b:23:3b:0b:88)
Destination: Toshiba_3b:0b:88 (b8:6b:23:3b:0b:88)
Source: AlliedTe_92:65:06 (00:1a:eb:92:65:06)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 230
Internet Protocol Version 4, Src: 172.217.25.232, Dst: 192.168.230.72
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 52
Identification: 0x408b (16523)
Flags: 0x0000
Fragment offset: 0
Time to live: 56
Protocol: TCP (6)
Header checksum: 0xd486 [validation disabled]
[Header checksum status: Unverified]
Source: 172.217.25.232
Destination: 192.168.230.72
Transmission Control Protocol, Src Port: 443, Dst Port: 50112, Seq: 1, Ack: 2, Len: 0
Source Port: 443
Destination Port: 50112
[Stream index: 18591]
[TCP Segment Len: 0]
Sequence number: 1 (relative sequence number)
Sequence number (raw): 450123849
[Next sequence number: 1 (relative sequence number)]
Acknowledgment number: 2 (relative ack number)
Acknowledgment number (raw): 1913214286
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window size value: 369
[Calculated window size: 369]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x7bfa [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), SACK
TCP Option - No-Operation (NOP)
TCP Option - No-Operation (NOP)
TCP Option - SACK 1-2
Kind: SACK (5)
Length: 10
left edge = 1 (relative)
right edge = 2 (relative)
[TCP SACK Count: 1]
[SEQ/ACK analysis]
[Timestamps]
Edit 1:
Looking at this some more, the display filter is working as the outer level Eth protocol is IPv4. Hmm.. guess referencing the outer most ip.proto == 6 would filter this kind of packet out.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.