Hi,
Currently there's no way to filter on ip{inner}/ip{outer} in a packet. If it's
ip it's ip it's ip; s/ip/<your proto>/g. That can be a strength (like catching
ICMP) and a weakness (like in tunnels). This would require some fundamental
dissection and display filter work.
Thanks,
Jaap
On 09/11/2012 11:30 PM, Martin Isaksson wrote:
Hi all!
If I have a packet with protocols like eth:vlan:ip:udp:gtp:ip:tcp, is there a
way to filter in one of the IP headers only?
I know I can do frame[22:2] == D4:DD (here IP ID of first IP header), but it's
not very dynamic, so if for some reason the bytes are in different places, this
would fail.
Another work-around I've tried is to list one of the IP IDs with tshark and grep.
Thanks,
Martin