This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter on IP Lower (or IP Outer) only

0

I would like to run an IP filter that only matches the Lower IP. For example, I have a packet that has Ethernet/IPv4/UDP/GPRS/IPv4/UDP/DNS. I would like to do something like

tshark -r file -Y ip -T fields -e ip.src | sort | uniq

when I do this I get something like

10.132.48.16
10.132.48.26
10.132.48.26,192.168.185.138
10.132.48.26,192.168.67.7
10.132.48.26,192.168.99.4
10.132.48.26,192.168.15.105
10.132.48.26,192.168.15.130

What I've been doing is constructing a set of filters based on the first entry only from those results, and this sort of works, at least in the case of all ipv4 or all ipv6. The problem comes when I try to work with mixed ipv4 and ipv6. I can do the two independently, but I can't seem to figure out which is upper and lower in the case of Ethernet/IPv6/UDP/GPRS/IPv4/UDP/DNS or Ethernet/IPv4/UDP/GPRS/IPv6/UDP/DNS

any suggestions would be greatly appreciated.

asked 25 Jun '14, 16:23

wyrmwood's gravatar image

wyrmwood
11113
accept rate: 0%

edited 25 Jun '14, 16:26


One Answer:

0

Just add "-E occurrence=l" to your options in tshark, to always give the last field value (in this case, always the inner IP) rather than giving all values for the ip.src field.

Also since you're piping it out in unix, another non-tshark way to always get the inner would be to pipe it to sed. Something like this, before your uniq would work, to replace all text up to the last comma and leave the last IP value:

| sed s/.*[,]//g

answered 25 Jun '14, 17:45

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 25 Jun '14, 17:56

Thanks for the advice but I'm actually looking for the opposite (the lower or outer IP). And it works well in the case of tunneled ip over ip or tunneled ipv6 over ipv6. The problem is where the lower and upper ip are mixed (ipv4 in lower and ipv6 in upper) as the filter produces only one ip. Since it takes two filters, there's really no way of telling when there's only one address whether it is gateway or tunneled.

(26 Jun '14, 05:48) wyrmwood

Oh, if it is just the outer then kill the UDP dissection and you will only see the outside address, whether v4 or v6. A cheaper way would be to decode the port as something other than Gtp, with something like this "-d udp.port==2152,dns". That will break the second IP header from being dissected, so won't get pulled by the -T fields flag.

(26 Jun '14, 08:50) Quadratic