arp arp.src.proto_ipv4 wildcard search?

Hi,

Use case: identify what gateway servers on a number of different VLANs use, by identifying what GW the servers ARP for. This is needed since the GW must change IP address prior to a larger network migration.

I know I can see the details I'm after by using the field "arp.src.proto_ipv4", but my problem is that I can't search on this using wildcards.

As far as I can tell (https://www.wireshark.org/docs/dfref/...) the field is simply an IPv4 address field, so I'm unable to use the "matches" keyword which would've given me the opportunity to use regex.

I need to know which servers ARP for a GW IP that ends with ".12", so essentially a display filter such as "arp.src.proto_ipv4 == ..*.12" is what I'm looking for.

Any and all help much appreciated!

Thanks

/Niels

Hi Niels, did you try to make a filter like @cmaynard recommended (slice operator)?

For example this filter: arp.src.proto_ipv4[3] == c

Also I suspect when you use arp.src.proto_ipv4 ==x you're actually looking for the servers that have IP ending with 12 themselves.

Probably you have to use arp.dst.proto_ipv4[3] ==c for matching target IP address? And make a column for "sender IP address" (arp.src.proto_ipv4)

1.1k

Packet_vlad

answered 2018-10-26 07:42:25 +0000, updated 2018-10-26 07:45:59 +0000

edit flag offensive 0 remove flag delete link

Comments

Hi Packet_vlad, no I haven't found that thread, very helpful.

And you're completely right - it's not arp.src.protoipv4 I need, it's arp.src.protoipv4.

Thank you very much, it works!

NJL (2018-10-26 08:00:47 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

arp arp.src.proto_ipv4 wildcard search? edit

Comments

1 Answer

Comments