vurverse.blogg.se

Refer to the wireshark-filter man page for more information about the slice operator and Wireshark display filters in general.

For example, if the source address was 50.xxx.xxx.100 and the destination address was .152, then the packet would still match the filter, as the 1st byte of the source address would match as well as the last byte of the destination address.

Unfortunately, this doesn't work reliably because it will actually match either the 1st byte of either the source or destination addresses as well as the 4th byte of either the source or destination IP addresses. The capture filter I ended up writing to capture only IP packets with a non-zero DSCP field is as follows. Note that you might be tempted to use a simpler filter such as: ip.addr=32 & ip.addr=98 This filter also avoids any potential problems with whether name resolution is enabled or not, as ip.host isn't necessarily guaranteed to match "\.152$" if name resolution is enabled. The filter uses the slice operator to isolate the 1st and 4th bytes of the source and destination IP address fields. Those values, 32 and 98 are hexadecimal values for 50 and 152, respectively. Go back to Wireshark and stop the capture. Open your command prompt and ping the address of your choice. Important: The offset (54 / 58 in my example) can change. Open Wireshark and start the capturing process as described above. Try this filter instead: (ip.src=32 & ip.src=98) || (ip.dst=32 & ip.dst=98) An example Wireshark capture Filter for filtering IP host addresses within an ERSPAN Session from Cisco ACI: ip proto 0x2f and ((ip54:40x0A7B7B7B) or (ip58:40x0A7B7B7B)) 0x0A7B7B7B represents an IP address in HEX format.