This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Display Filter: ethertype

0

What's the purpose of the 'ethertype' display filter? It's not listed on the Display Filter Reference Page, but Wireshark allows you to type in this keyword during a capture session.

Display filter 'eth.type == 0x0800' will filter IP traffic and I'd think 'ethertype == 0x0800' does the same thing (i.e., filter traffic by Ethertype field value), but no traffic is displayed.

As a side note, I realize Wireshark won't dissect Ethernet_II traffic without protocol "Ethertype" enabled.

asked 29 Dec '15, 16:55

Ryan%20Moss's gravatar image

Ryan Moss
6112
accept rate: 0%

One Answer:

0

Under the hood there are several kinds of display filters you can use, among them protocol fields and protocols. You have listed two of them:

  • eth.type : protocol field
  • ethertype : protocol

Both protocol fields and protocols can be used in display filter expressions:

  • eth.type == 0x0800 : field value equals 0x0800
  • ethertype : the ethertype protocol is present.

So, using 'ethertype', or any other protocol name for that matter, in a display filter basically asserts that the protocol is present in the dissected frame.

But it also has a value. The bytes making up the protocol are the value. So to make equivalent expressions one could write:

  • eth.type == 0x0800 : field value equals 0x0800
  • ethertype[12:2] == 08:00 : byte 12 and 13 are 0x08 and 0x00 respectively

and even:

  • eth[12:2] == 08:00

But if there is 'eth', what is this 'ethertype' for then? Basically it's a pseudo protocol. It is needed to fan out from the wiretap library reading in frames and to use it for 'decode as'.

Oh, you can't disable it, otherwise frames wouldn't get far as dissections is concerned.

answered 30 Dec '15, 01:29

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks for the explanation. Unfortunately, the display filter 'ethertype[12:2]' doesn't filter on the Ethertype field value. I've tried it with several protocols and nothing's returned. Why wouldn't the 'ethertype' protocol display filter by itself not return anything either?

(30 Dec '15, 07:11) Ryan Moss

I'll have to test it myself on a recent Wireshark. What version do you use?

(30 Dec '15, 10:37) Jaap ♦

Version 2.0.0 (v2.0.0-0-g9a73b82 from master-2.0) running on Mac OS X 10.11.2, build 15C50 (Darwin 15.2.0), with locale C, with libpcap version 1.5.3 - Apple version 54, with libz 1.2.5, with GnuTLS 2.12.19, with Gcrypt 1.5.0... AND

Version 1.12.8 (v1.12.8-0-g5b6e543 from master-1.12) running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 3.2.15, Gcrypt 1.6.2, without AirPcap.

Actually, I just updated the version running on Windows 7 to Version 2.0.1 (v2.0.1-0-g59ea380 from master-2.0).

(30 Dec '15, 11:41) Ryan Moss