I would like to capture all traffic that are marked with DSCP value 184. I am able to do so using display filter "ip.dsfield==184" but how do i use the equivalent filter on capture filter ? asked 16 Jul '11, 23:11  chenhsien |
One Answer:
The capture filter equivalent of "ip.dsfield==184" would be "ip[1]=184". However when the dsfield value is 184, the dscp value is actually 46, as the dscp field consists of the higher 6 bits of the dsfield, the other two bits are for Explicit Congestion Notification. Your filter "ip.dsfield==184" will only show packets woth DSCP value 46 and both ECN bith zero. So you might miss packets that have a ECN bit set. It's better to use the display filter "ip.dsfield.dscp==46", for which the capture filter equivalent is "ip[1]>>2=46" answered 17 Jul '11, 01:17  SYN-bit ♦♦ |
thank you, it works !
Good to hear that it works.
(I changed your "answer" to a "comment", see the FAQ for more info. Also, questions stay on the "unanswered" list until they have been accepted, which is where the "checkmark" button on the left is for)
(I changed your "answer" to a "comment", see the FAQ for more info) ;)