Guy Harris wrote:
ronnie sahlberg wrote:
the filter "ip.flags.df" will check if the field DF exists in the
packet or not, regardless of what value it has (i.e. if it is SET or
CLEAR).
It will essentially find all IP packets since every IP packet has a
DF flag (which is either SET or CLEAR).
...and if you want to check whether it's *set*, you do:
ip.flags.df == 1
or, to check whether it's *clear*:
ip.flags.df == 0
I.e., even for Boolean variables, you have to test with == to test the
value; the name of a field, by itself, tests whether the field is
present or not, not whether, if it's Boolean, it's set.
Thanks for the clarifications. My apologies for asking about the
'ip.flags.df' conditions -- for those I should have understood that
behavior from the docs.
What I'm still a little surprised about is the case where I tried this:
'ip.flags.df == 1'
and got out *both* packets. I fully expected to get out the first
packet, because it has DF=1 in its IP header. It seems very strange to
me that I also get out the second packet. It is ICMP, and has DF=0 in
its IP header, but I'm guessing from Ronnie Sahlberg's message that the
packet is passing the filter because the ICMP message contains an IP
header in its payload, and *that* IP header has DF=1. Is that the
reason it passes the filter?
If so, is there a way to specify a filter that restricts its attention
to the outermost IP header, ignoring inner IP headers? Or in general
that lets you pick which level of IP header you want to test fields in?
Perhaps something like this?
ip.ip.flags.df == 1
Where that would only match packets that have an outer IPv4 header, and
inner IPv4 header, and the inner IPv4 header had DF=1?
Thanks,
Andy Fingerhut