Capture Filters and Offsets
A couple of questions have come up on the wireshark-users mailing list recently about using capture filters for MPLS and VLANs. Each user was having the same problem yet these are different network technologies — what do they have to do with each other?
The answer is offsets.
Let’s take an up-close and personal look at the capture filter “ip src host 10.16.32.48”. We can do this by running tcpdump -d, which takes a filter, compiles it, and dumps out the result. The dump of our filter looks like this:
(000) ldh [12] (001) jeq #0x800 jt 2 jf 5 (002) ld [26] (003) jeq #0xa102030 jt 4 jf 5 (004) ret #96 (005) ret #0
If this makes no sense don’t worry. You just need to know that the first two lines look for the IP ethertype (0x800) starting at byte 12 and the next two lines look for the IP address 10.16.32.48 (0xa102030) starting at byte 26. This is the minimum amount of checking required for that capture filter if you’re running IP over Ethernet.
What happens if you’re using 802.1q?