Here in this post i will explain how to filter capture based on byte level, as an example i will use EIGRP packets.
To filter capture based on EIGRP packets using Wireshark expression
filter:
eigrp.opcode == 1
|
This will display only EIGRP updates, you can change the value to
2 (Request), 3 (Query), 4 (Replay) or 5 (Hello).
Filter capture based on byte offset -
Choose an EIGRP update packet and mark the opcode field (1):
When you mark the field on the packet detail pane, a field
on the packet byte pane is also marked (2), now note that the byte 01 is found
on a grey area which represent the EIGRP payload, this payload starts on byte
02, so to capture all EIGRP packets which in the second field there is a byte
with value 01 we will use the following string:
eigrp[01:1]==01
|
Syntax: <PROTOCOL>[<START_FIELD>:<NUMBER_OF_BYTES_TO_COUNT>]<OPERATOR><VALUE>
PROTOCOL - the protocol we are filtering – it can be IP,
EIGRP, OSPF, GRE whatever
START_FIELD - indicate the number of the field we are
looking on that given protocol
NUMBER_OF_BYTES - number of bytes to count, in my example I used
1 so only one byte after the first byte.
OPERATOR - can be any given one – equal, not, large or less,
equal, contain etc.
Here is another example which filters EIGRP packets with a
value 002f on the 11th and 12th bytes field:
eigrp[10:2]==002f
|
This method works on tcpdump and wireshark both on display
and capture filters and can be used to capture any given packet with specific
byte value.
No comments:
Post a Comment