Capture Filter for DSCP 46

Question

How do I apply a capture filter using version 1.8.0 And what capture filter would I use to capture packets marked with DSCP 46 (EF)

Thanks

Answer 1

0

You can use the following capture filter:

(ip[1] & 0xfc)>>2 = 46

or if your traffic is vlan tagged:

vlan and ((ip[1] & 0xfc)>>2 = 46)

[OK, I did not test it, but it should work theoretically :-)]

answered 14 Aug '12, 10:45

SYN-bit ♦♦
17.1k●9●57●245
accept rate: 20%

edited 14 Aug '12, 10:47

Hi

Thanks very much for the reply. It takes the filter and goes green but does not capture any packets. I am sending EF and definitley capture EF with out a filter but when I spply the above filter noting gets captured. Any further help would be greatly appreciated.

(14 Aug '12, 11:08) VoIP Ready

Hi

This is what ended up working ip[1] & 0xfc == 0xb8

Thanks :)

(14 Aug '12, 11:25) VoIP Ready

Weird, they should both work:

$ tcpdump -d "(ip[1] & 0xfc)>>2 = 46"
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 7
(002) ldb      [15]
(003) and      #0xfc
(004) rsh      #2
(005) jeq      #0x2e            jt 6    jf 7
(006) ret      #65535
(007) ret      #0
$ tcpdump -d "ip[1] & 0xfc = 0xb8"
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 6
(002) ldb      [15]
(003) and      #0xfc
(004) jeq      #0xb8            jt 5    jf 6
(005) ret      #65535
(006) ret      #0
$

As the value 0xb8>>2 = 0x2e (46)

(14 Aug '12, 11:33) SYN-bit ♦♦

But I'm glad you got it working for you :-)

(you might want to accept my answer by clicking on the checkmark next to it, so it will not be listed on the "unanswered questions" list anymore)

(14 Aug '12, 11:34) SYN-bit ♦♦