This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to capture based on IP header length using a capture filter?

0

how to this Display filter syntax convert Capture filter syntax

ip.hdr_len >= 20

asked 02 Oct '13, 05:41

stih's gravatar image

stih
11226
accept rate: 0%

edited 02 Oct '13, 08:50

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


One Answer:

3

The following capture filter should give you what you asked for:

ip[0]&0x0f >= 5

For more information on capture filter syntax, refer to the pcap-filter man page. They even provide the following very similar example:

The expression 'ip[0] & 0xf != 5' catches all IPv4 packets with options.

answered 02 Oct '13, 08:48

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

thank you for answer . i have one more question . please explain each part mean

ip[0]&0x0f >= 5

(02 Oct '13, 23:54) stih
1

ip[0] is the first (well zeroeth) byte of the ip part of the frame. & means to do a bitwise AND operation, using 0xf (hexadecimal for binary 00001111) as the other operand. So the result of "ip[0] & 0xf" is just the lowest (rightmost) 4 bits. We then return true is the result is greater than or equal to 5. The 4 bit header length field is in units of 4 octets, and 4 x 5 = 20 (which is the length you were comparing for in the display filter string).

(03 Oct '13, 04:50) martyvis

This question is starting to feel more and more like a homework assignment to me, because you obviously haven't read the pcap-filter man page. If you had, you would find your answer rather easily. And you might want to also reference RFC 791 to have a better understanding of the IP header fields.

(04 Oct '13, 08:36) cmaynard ♦♦

Oops, sorry @cmaynard, I already converted his comment to a new question.

(04 Oct '13, 08:42) SYN-bit ♦♦

You made it too easy ;) Oh well.

(04 Oct '13, 08:44) cmaynard ♦♦