How to Determine Low Level Filter
Hello,
I'm trying to get an understanding of what is actually being applied to the filter when using quick terms such as tcp.
E.g. if I filter "tcp", is it actually filtering ip.proto==0x06?
I am getting different packet counts for each of these filters and I would like to know if there is a document that contains this type of information for these quick reference type of filters.
Thank you for your help.
Edit: Another example is something like ipv6 vs ip.version==6
Edit 2: I wanted to mention that I am looking for a resource or tool that would help me dissect a display filter. I've used dumpcap -d -f <display filter>
, but not exactly what I'm looking for.
Comments
I think you are at the mercy of the logic in the code. Maybe one of the developers will weigh in on this.
Until then, try some experiments:
- add
ip.proto
as a column and compare that to theProtocol
column- to see the difference in
TCP
packets try filtertcp && !ip.proto==0x06
. The test capture I'm looking at has lots ofIPv6
which doesn't have anip.proto
field but yet does haveTCP
packets.- I didn't get any hits on
ipv6 && !ip.version==0x06
so would be curious what packets in your capture meet that criteria.Thanks for the advice.
I actually tested what you were suggesting and found that
ip.proto == 0x06
is strictly looking for IPv4 TCP traffic. I believe this filter is actually more similar toip[9] == 0x06 or ipv6[6] == 0x06
, or simply looking for both IPv4 and IPv6 like you stated.I was hoping to get the information on a broader spectrum though. I thought there might be a reference that we could input a display filter such as
port 53
and it produces something liketcp.port == 53 || udp.port == 53