This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture Filter for DSCP 46

0

How do I apply a capture filter using version 1.8.0 And what capture filter would I use to capture packets marked with DSCP 46 (EF)

Thanks

asked 14 Aug '12, 10:26

VoIP%20Ready's gravatar image

VoIP Ready
1222
accept rate: 0%


One Answer:

0

You can use the following capture filter:

(ip[1] & 0xfc)>>2 = 46

or if your traffic is vlan tagged:

vlan and ((ip[1] & 0xfc)>>2 = 46)

[OK, I did not test it, but it should work theoretically :-)]

answered 14 Aug '12, 10:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 14 Aug '12, 10:47

Hi

Thanks very much for the reply. It takes the filter and goes green but does not capture any packets. I am sending EF and definitley capture EF with out a filter but when I spply the above filter noting gets captured. Any further help would be greatly appreciated.

(14 Aug '12, 11:08) VoIP Ready

Hi

This is what ended up working ip[1] & 0xfc == 0xb8

Thanks :)

(14 Aug '12, 11:25) VoIP Ready

Weird, they should both work:

$ tcpdump -d "(ip[1] & 0xfc)>>2 = 46"
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 7
(002) ldb      [15]
(003) and      #0xfc
(004) rsh      #2
(005) jeq      #0x2e            jt 6    jf 7
(006) ret      #65535
(007) ret      #0
$ tcpdump -d "ip[1] & 0xfc = 0xb8"
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 6
(002) ldb      [15]
(003) and      #0xfc
(004) jeq      #0xb8            jt 5    jf 6
(005) ret      #65535
(006) ret      #0
$

As the value 0xb8>>2 = 0x2e (46)

(14 Aug '12, 11:33) SYN-bit ♦♦

But I'm glad you got it working for you :-)

(you might want to accept my answer by clicking on the checkmark next to it, so it will not be listed on the "unanswered questions" list anymore)

(14 Aug '12, 11:34) SYN-bit ♦♦