This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

IP ID Capture Filter

0

I need some help... I'm trying to only capture packets that have the IP ID of 4567. I'm having trouble setting the correct Capture flag. Right now I'm trying to work with IP[4] = 0x11D7. Can I just get some help to put me in the right direction? Thanks guys

asked 07 Mar '17, 09:15

Kickinitlegit's gravatar image

Kickinitlegit
11114
accept rate: 0%

One Answer:

2

Google of "tcpdump filters ip id" found me this.

Basically you need to specify the offset and length of the field, i.e.

ip[4:2] == 0x11d7

answered 07 Mar '17, 09:31

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Yep, that was it, i was forgetting the length... Thank you sir!

(07 Mar '17, 09:58) Kickinitlegit