What is the capture filter equivalent of the display filter “ip.frag_offset != 0”

Question

thank you . i have one more question. ip.frag_offset != 0(Display filter) Converted to Capture filter syntax is ip[7]&0xf != 0 ? i want to know right syntax.

Accepted Answer

(I converted the new question in your comment to a new question)

You need to look at the IP RFC to find detailed information about the header structure of an IP packet:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

As you can see, the IP fragement offset is formed by the least significant 5 bits of the 6th octet and the full 7th octet (when counting from 0) of the IP header.

So you will to get those bytes with "ip[6:2]", then mask the right bits with "ip[6:2] & 0x1fff" and then compare to a value. In your case:

ip[6:2] & 0x1fff != 0

Answer 2

As I directed you before from your earlier question, read the pcap-filter man page and reference RFC 791 to understand the IP header fields better.