Wireshark-users: Re: [Wireshark-users] Filtering on fields in tunnel headers

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 12 Sep 2012 09:01:38 +0200
Hi,

Currently there's no way to filter on ip{inner}/ip{outer} in a packet. If it's ip it's ip it's ip; s/ip/<your proto>/g. That can be a strength (like catching ICMP) and a weakness (like in tunnels). This would require some fundamental dissection and display filter work.

Thanks,
Jaap

On 09/11/2012 11:30 PM, Martin Isaksson wrote:
Hi all!
If I have a packet with protocols like eth:vlan:ip:udp:gtp:ip:tcp, is there a
way to filter in one of the IP headers only?
I know I can do frame[22:2] == D4:DD (here IP ID of first IP header), but it's
not very dynamic, so if for some reason the bytes are in different places, this
would fail.
Another work-around I've tried is to list one of the IP IDs with tshark and grep.
Thanks,
Martin