Background:Some IE may appear more than once in a packet, like "Source IP" in below pict: Another example is Host name "dns.resp.name" in below DNS response (with red underline): Question: Can we filter such message, with some generic expression like "#(ip.src)>1" or "#(dns.resp.name)>1?Thanks! asked 13 Oct '14, 01:47  Weller edited 13 Oct '14, 02:27 |
One Answer:
(Just to put an Answer on this question): This isn't possible today. It's something the Wireshark developers have been talking about for a while, although usually in the context of "how can I filter for only the encapsulated IP address (while ignoring the outer IP address)." But if we ever get that working it would likely solve your problem/question too. answered 20 Oct '14, 03:41  JeffMorriss ♦ Is IE an abbreviation of "Inner Encapsulation" or similar? (20 Oct '14, 03:45) grahamb ♦ To me IE means "Information Element" but I don't know if that was the intended use here. (20 Oct '14, 04:51) JeffMorriss ♦ I have no idea, to me IE means a browser I'm occasionally forced to use due to regressive servers. (20 Oct '14, 05:10) grahamb ♦ Thank JeffMorriss for the answer and explanations! And yes, "IE" means "Information Element" here (Sorry for the confusion). (21 Oct '14, 18:42) Weller So it seems to be some function possibly in future implementation. Let me try some workaround for the moment then. Thank you, Jeff! (21 Oct '14, 18:53) Weller |
So you're not interested in finding specific IPs, but just packets that have more than one IP layer?
That's right in this example. And the repeating IE could be something else, too, like alternative IPs in one DNS responses message. Then is it possible to filter DNS response with 2 or more IPs from the ones with only 1 IP?
I don't think this is possible - I would try to filter on things like the GPRS tunneling layer, because if that layer is present you'll know there are multiple layers.