This is our old Q&A Site. Please post any new questions and answers at

I have captured thousand of ERSPAN packets which are in the form of IP IP tunnels. I would like to filter the packets which have ttl == 1 on inner IP header. But wireshark filters on the outer header as well. Is there any way to create filter for for the inside header ONLY.



asked 22 Nov '12, 01:57

umairali's gravatar image

accept rate: 0%

I don't think there is a normal IP TTL filter that can be applied selectively on only just one of the IP layers.

But maybe you can work with an offset filter, for example "frame[46] == 1" (if offset 46 is the byte where the TTL of the inner IP layer is found - the offset needs to be written as a decimal value). This approach requires all frames to have the same header length before the IP layer you want to filter on, because otherwise the offset are not always the same.

permanent link

answered 22 Nov '12, 04:32

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

edited 22 Nov '12, 04:33

Thanks Jasper ... I get the point. Probably, I have to add IP to avoid arp, and other non IP packets etc

frame[72] == 1 && ip

(22 Nov '12, 05:38) umairali

[i converted your answer to a comment to make it easier to tell question and answers apart]

yes, adding "ip" is probably a good idea. BTW, if you like my answer you can accept it with the checkmark button on the left :-)

(22 Nov '12, 05:44) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 22 Nov '12, 01:57

question was seen: 5,418 times

last updated: 22 Nov '12, 05:44

p​o​w​e​r​e​d by O​S​Q​A