What's the purpose of the 'ethertype' display filter? It's not listed on the Display Filter Reference Page, but Wireshark allows you to type in this keyword during a capture session. Display filter 'eth.type == 0x0800' will filter IP traffic and I'd think 'ethertype == 0x0800' does the same thing (i.e., filter traffic by Ethertype field value), but no traffic is displayed. As a side note, I realize Wireshark won't dissect Ethernet_II traffic without protocol "Ethertype" enabled. asked 29 Dec '15, 16:55 Ryan Moss |
One Answer:
Under the hood there are several kinds of display filters you can use, among them protocol fields and protocols. You have listed two of them:
Both protocol fields and protocols can be used in display filter expressions:
So, using 'ethertype', or any other protocol name for that matter, in a display filter basically asserts that the protocol is present in the dissected frame. But it also has a value. The bytes making up the protocol are the value. So to make equivalent expressions one could write:
and even:
But if there is 'eth', what is this 'ethertype' for then? Basically it's a pseudo protocol. It is needed to fan out from the wiretap library reading in frames and to use it for 'decode as'. Oh, you can't disable it, otherwise frames wouldn't get far as dissections is concerned. answered 30 Dec '15, 01:29 Jaap ♦ |
Thanks for the explanation. Unfortunately, the display filter 'ethertype[12:2]' doesn't filter on the Ethertype field value. I've tried it with several protocols and nothing's returned. Why wouldn't the 'ethertype' protocol display filter by itself not return anything either?
I'll have to test it myself on a recent Wireshark. What version do you use?
Version 2.0.0 (v2.0.0-0-g9a73b82 from master-2.0) running on Mac OS X 10.11.2, build 15C50 (Darwin 15.2.0), with locale C, with libpcap version 1.5.3 - Apple version 54, with libz 1.2.5, with GnuTLS 2.12.19, with Gcrypt 1.5.0... AND
Version 1.12.8 (v1.12.8-0-g5b6e543 from master-1.12) running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 3.2.15, Gcrypt 1.6.2, without AirPcap.
Actually, I just updated the version running on Windows 7 to Version 2.0.1 (v2.0.1-0-g59ea380 from master-2.0).