This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is the capture filter equivalent of the display filter “ip.frag_offset != 0”

0

thank you . i have one more question. ip.frag_offset != 0(Display filter) Converted to Capture filter syntax is ip[7]&0xf != 0 ? i want to know right syntax.

asked 04 Oct '13, 08:19

stih's gravatar image

stih
11226
accept rate: 0%

converted 04 Oct '13, 08:34

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


2 Answers:

3

(I converted the new question in your comment to a new question)

You need to look at the IP RFC to find detailed information about the header structure of an IP packet:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

As you can see, the IP fragement offset is formed by the least significant 5 bits of the 6th octet and the full 7th octet (when counting from 0) of the IP header.

So you will to get those bytes with "ip[6:2]", then mask the right bits with "ip[6:2] & 0x1fff" and then compare to a value. In your case:

ip[6:2] & 0x1fff != 0

answered 04 Oct '13, 08:40

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

As I directed you before from your earlier question, read the pcap-filter man page and reference RFC 791 to understand the IP header fields better.

answered 04 Oct '13, 08:41

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%