Hi,
We have a custom in-house pcap tool that has a mapping of protocol (numeric) values to names, and the internal tool supports specifying the protocols by name in capture filter expression, so one can do that instead of providing the protocol number in hex or decimal for the capture filter expression.
I tried same on tcpdump and wireshark but among the names, the only filter expression that works there is "ip proto l2tp", I didn't check that actual captured packets are matching that as I don't have the setup to generate that traffic either, but the tool didn't fail complaining about invalid filter.
The name mapping of the in-house tool has
for ethertype protocols:
- ip
- ip4
- ip6
- arp
- lldp
- slow
- pae
and for ip protocols:
- icmp
- igmp
- tcp
- udp
- esp
- ah
- icmp6
- vrrp
- l2tp
So I'm just curious is l2tp the only one that will work for tcpdump and wireshark, or are there other names (even ones the in-house tool hasn't mapped) that work that I'm just not aware of?
Or is tcpdump and wireshark acceptance of the l2tp string value a bug instead?