The Official Wireshark Blog

Capture Filters and Offsets

Categories: Tip

A couple of questions have come up on the wireshark-users mailing list recently about using capture filters for MPLS and VLANs. Each user was having the same problem yet these are different network technologies — what do they have to do with each other?

The answer is offsets.

Let’s take an up-close and personal look at the capture filter “ip src host 10.16.32.48”. We can do this by running tcpdump -d, which takes a filter, compiles it, and dumps out the result. The dump of our filter looks like this:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 5
(002) ld       [26]
(003) jeq      #0xa102030       jt 4    jf 5
(004) ret      #96
(005) ret      #0

If this makes no sense don’t worry. You just need to know that the first two lines look for the IP ethertype (0x800) starting at byte 12 and the next two lines look for the IP address 10.16.32.48 (0xa102030) starting at byte 26. This is the minimum amount of checking required for that capture filter if you’re running IP over Ethernet.

What happens if you’re using 802.1q?

Video: Custom Wireshark Shortcuts

Categories: Video
I made a video that shows you how to create a Windows shortcut that starts capturing immediately. Watch it now!

Using Shame and Embarrassment to Promote IPv6

Categories: Humor
Tags: ipv6 plumbing
In a previous post I proposed the terms “indoor plumbing” for native IPv6 access and “outdoor plumbing” for tunneled IPv6. I think terminology like this is important. It’s short, clear, and implies an easy-to-visualize hierarchy where anything less than native routing involves uncomfortable exposure to the elements and woodland creatures. Which leads us to those poor souls with IPv4-only networks. “Y-you mean to say that you don’t have any modern plumbing at all? (snork) BWAHAHAHAHAHA!” We could use something similar for unsecured wireless connections.