Ask Your Question

aaronf's profile - activity

2020-06-24 15:27:32 +0000 commented answer reference outer most eth.type

final filter is as follows -Y "frame.protocols ~ \"^eth:ethertype:ip:tcp\" or frame.protocols ~ \"^eth:ethertype:vlan:

2020-06-24 09:29:44 +0000 commented answer reference outer most eth.type

perhaps if you can do some minior regex like searching, you could do some pretty interesting filtering e.g frame.proto

2020-06-24 09:20:06 +0000 commented answer reference outer most eth.type

a better way is partial string frame.protocols ~ eth:ethertype:ip:tcp otherwise it only counts tcp packets it cant dec

2020-06-24 08:10:56 +0000 commented answer reference outer most eth.type

looks like we can do it this way frame.protocols == eth:ethertype:ip:tcp

2020-06-23 12:57:07 +0000 marked best answer reference outer most eth.type

Is there any way to reference the outer most eth.type value in a display filter?

e.g. we are filtering on eth.type == 0x0800 (ipv4) packets. Because some packets are encapsulated with another ethernet header the display filter is matching on both outer and inner ethernet frames. Our specific goal is to filter on the outer most ethernet frame.

heres the display filter

eth.type == 0x0800 and ip.proto == 6 and tcp.option_kind==5

Example packet in question

Frame 332259: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits)
Ethernet II, Src: JuniperN_bd:97:d9 (7c:e2:ca:bd:97:d9), Dst: Optium_80:00:16 (00:0e:52:80:00:16)
    Destination: Optium_80:00:16 (00:0e:52:80:00:16)
    Source: JuniperN_bd:97:d9 (7c:e2:ca:bd:97:d9)
    Type: IPv4 (0x0800)
    Frame check sequence: 0xd06b73f1 [unverified]
    [FCS Status: Unverified]
Internet Protocol Version 4, Src: 61.197.167.247, Dst: 130.128.255.152
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 112
    Identification: 0xc804 (51204)
    Flags: 0x0000
    Fragment offset: 0
    Time to live: 57
    Protocol: UDP (17)
    Header checksum: 0x51a3 [validation disabled]
    [Header checksum status: Unverified]
    Source: 61.197.167.247
    Destination: 130.128.255.152
User Datagram Protocol, Src Port: 1701, Dst Port: 9348
Layer 2 Tunneling Protocol
Point-to-Point Protocol
PPP Bridging Control Protocol Bridged PDU
Ethernet II, Src: AlliedTe_92:65:06 (00:1a:eb:92:65:06), Dst: Toshiba_3b:0b:88 (b8:6b:23:3b:0b:88)
    Destination: Toshiba_3b:0b:88 (b8:6b:23:3b:0b:88)
    Source: AlliedTe_92:65:06 (00:1a:eb:92:65:06)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 230
Internet Protocol Version 4, Src: 172.217.25.232, Dst: 192.168.230.72
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 52
    Identification: 0x408b (16523)
    Flags: 0x0000
    Fragment offset: 0
    Time to live: 56
    Protocol: TCP (6)
    Header checksum: 0xd486 [validation disabled]
    [Header checksum status: Unverified]
    Source: 172.217.25.232
    Destination: 192.168.230.72
Transmission Control Protocol, Src Port: 443, Dst Port: 50112, Seq: 1, Ack: 2, Len: 0
    Source Port: 443
    Destination Port: 50112
    [Stream index: 18591]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    Sequence number (raw): 450123849
    [Next sequence number: 1    (relative sequence number)]
    Acknowledgment number: 2    (relative ack number)
    Acknowledgment number (raw): 1913214286
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x010 (ACK)
    Window size value: 369
    [Calculated window size: 369]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x7bfa [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), SACK
        TCP Option - No-Operation (NOP)
        TCP Option - No-Operation (NOP)
        TCP Option - SACK 1-2
            Kind: SACK (5)
            Length: 10
            left edge = 1 (relative)
            right edge = 2 (relative)
            [TCP SACK Count: 1]
    [SEQ/ACK analysis]
    [Timestamps]

Edit 1:

Looking at this some more, the display filter is working ... (more)

2020-06-23 12:57:07 +0000 received badge  Scholar (source)
2020-06-23 12:57:04 +0000 received badge  Supporter (source)
2020-06-23 12:57:02 +0000 commented answer reference outer most eth.type

Thanks, sounds need a different approach

2020-06-22 17:02:03 +0000 edited question reference outer most eth.type

reference outer most eth.type Is there any way to reference the outer most eth.type value in a display filter? e.g. we

2020-06-22 17:01:37 +0000 received badge  Rapid Responder (source)
2020-06-22 17:01:37 +0000 answered a question reference outer most eth.type

Looking at this some more, the display filter is working as the outer level Eth protocol is IPv4. Hmm.. guess referencin

2020-06-22 16:54:33 +0000 edited question reference outer most eth.type

reference outer most eth.type Is there any way to reference the outer most eth.type value in a display filter? e.g. we

2020-06-22 16:54:15 +0000 received badge  Editor (source)
2020-06-22 16:54:15 +0000 edited question reference outer most eth.type

reference outer most eth.type Is there any way to reference the outer most eth.type value in a display filter? e.g. we

2020-06-22 16:34:15 +0000 asked a question reference outer most eth.type

reference outer most eth.type Is there any way to reference the outer most eth.type value in a display filter? e.g. we