Wireshark: Specifying a Protocol Stack Layer in Display Filters
The release of Wireshark 4.0.0 brings many new features, especially for the display filter syntax.
Specifying a protocol stack layer is one of the new syntax features. But let me first explain what the problem is, and then we can talk about the solution that the new syntax brings
Take the following packet capture, it shows failed attempts to establish a TCP connection: 192.168.10.10 sends a TCP SYN packet to 192.168.10.1, and this is followed by a "reply", 192.168.10.1 sending an ICMP packet (Destination unreachable) to 192.168.10.10. This happens 3 times (because the TCP stack tries 2 retransmissions and then gives up).
I use the following display filter: ip.src == 192.168.10.10
So I only want to see packets that come from 192.168.10.10. But although that display filter is applied, I still see the ICMP packets coming from 192.168.10.1.
Why is that? Because the ICMP packets embed the IP packets that caused the error:
So these ICMP packets have 2 ip.src fields: one for the outher IP packet and one for the IP packet contained in the ICMP packet (that is contained in the outher IP packet).
And that is why the display filter is showing all packets. It shows the TCP SYN packets because ip.src matches 192.168.10.10, and it shows the ICMP packets because they contain a field ip.src that also matches 192.168.10.10.
The solution brought with the new syntax, is that one can specify explicitly the protocol stack layer that should be matched, like this: ip.src#layer. Where layer is a number.
Display filter "ip.src#1 == 192.168.10.10" filters out all IP packets on the first layer that match ip.src == 192.168.10.10.
So that means that only the TCP SYN packets are displayed:
Display filter "ip.src#2 == 192.168.10.10" filters out all IP packets on the second layer that match ip.src == 192.168.10.10.
So that means that only the ICMP packets are displayed:
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago