The Official Wireshark Blog

IPv4 Exhaustion FAQ

by Gerald Combs

Categories: Humor
Tags: faq Humor ipv6
Q: What does IPv4 exhaustion mean? Can’t you give IPv4 some Red Bull? A: As everyone knows, the Internet was constructed by Theodore Roosevelt in 1895 using an old-growth forest and a thousand buffalo hides. He created a giant “pool” to hold all of the Internet’s numbers. While quite large for its time, the pool is much too small to handle the demands of today’s Internet. Q: When will the pool run out? A: In about eight and a half minutes. Q: What will happen then? A: The entire Internet will grind to a halt. It will shudder comically as it does so. Q: But how will I get to Twitter? I gotta have my tweets. A: In recognition of its role as the most important web site ever, the final IP address will be reserved for Twitter. In order to get there you will have to defeat an opponent in a cage match. You will get to choose between a crowd shouting “Two packets enter! One packet leaves!” or the Star Trek fight theme. Q: Can’t I have something cool like Eye of the Tiger or that one Van Halen song that sounds like a motivational poster?

Capture Filters and Offsets

by Gerald Combs

Categories: Tip

A couple of questions have come up on the wireshark-users mailing list recently about using capture filters for MPLS and VLANs. Each user was having the same problem yet these are different network technologies — what do they have to do with each other?

The answer is offsets.

Let’s take an up-close and personal look at the capture filter “ip src host 10.16.32.48”. We can do this by running tcpdump -d, which takes a filter, compiles it, and dumps out the result. The dump of our filter looks like this:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 5
(002) ld       [26]
(003) jeq      #0xa102030       jt 4    jf 5
(004) ret      #96
(005) ret      #0

If this makes no sense don’t worry. You just need to know that the first two lines look for the IP ethertype (0x800) starting at byte 12 and the next two lines look for the IP address 10.16.32.48 (0xa102030) starting at byte 26. This is the minimum amount of checking required for that capture filter if you’re running IP over Ethernet.

What happens if you’re using 802.1q?

Video: Custom Wireshark Shortcuts

by Gerald Combs

Categories: Video
I made a video that shows you how to create a Windows shortcut that starts capturing immediately. Watch it now!