This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filtering by ip.id

0
1

i want to build a filter which filters duplicated frames in a capture i want to filter it bi ip.identification number. for example if i have 5 frames with ip.id = 1000 i would like that after applying the filter only 1 frame will stay thank you

asked 24 Jan '11, 07:11

Dima's gravatar image

Dima
1345
accept rate: 0%

edited 24 Jan '11, 07:14

One Answer:

3

If you want to filter (delete) duplicate frames, the ip.id is not sufficient as the same ip.id can be used for different IP addresses without being a duplicate.

You can use editcap to delete duplicate packets (from "editcap -h"):

Duplicate packet removal:
  -d                     remove packet if duplicate (window == 5).
  -D <dup window>        remove packet if duplicate; configurable <dup window>
                         Valid <dup window> values are 0 to 1000000.
                         NOTE: A <dup window> of 0 with -v (verbose option) is
                         useful to print MD5 hashes.
  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN <dup time window> prior to current packet.
                         A <dup time window> is specified in relative seconds
                         (e.g. 0.000001).

Hope this helps, Cheers,

Sake

PS Editcap is a command line tool and part of the Wireshark "suite"

answered 24 Jan '11, 07:30

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 24 Jan '11, 07:31

thank you very much it did help me what a pity that i can't use this while live capture but it's enough for now

10x again

(26 Jan '11, 04:25) Dima

At capture time you want to make sure the mirroring configuration just gives you each packet once. You did not mention how you capture the packets, but the most likely source for duplicates is when you capture traffic on a vlan in both directions (as each frame enters the vlan and will also leave the vlan).

If that's the case, limit the capture to RX-only so that you capture only traffic that enters the vlan.

(26 Jan '11, 06:12) SYN-bit ♦♦

What is the filter to find duplicate "ip id" in this case?

(27 Jan '14, 02:43) gamermic

There isn't one.

Packet filters act only on fields within a single packet; there is, unfortunately, no way to say, for example, "match packets where the value of this field is equal to the value of that field in some previous packet".

That's also true of capture filters, and, while we might be able to support packet filters that can match fields in previous packets, by adding new syntax for that and new code for that, the way capture filters work inherently makes them stateless (the BPF engine does not keep state between packets), so neither we nor the libpcap/WinPcap developers can make it filter out duplicate IP IDs.

(And, of course, just because two packets from one IP address to another have the same IP ID, that doesn't mean they're duplicates, and, as Sake noted, that's even more true if the packets didn't all go from host A to host B.)

(27 Jan '14, 14:51) Guy Harris ♦♦