5/18/2023 0 Comments Tshark filter"ip proto 0圆7" (the manpages say "ip proto pim" but I've had trouble with that) "ip proto 2" (the manpages say "ip proto igmp" but I've had trouble with that) Note: to match the EXP marking of the second label, use " mpls & mpls & ether & 14" on the left hand side of the equality. Match traffic with an EXP marking (on the first label) of: Without transport label (after PHP): "mpls 2" Match traffic with exactly three MPLS labels (e.g. Match traffic with a first or single label of 12345: Match traffic with exactly one MPLS label (match S bit of first label): Match traffic with at least one MPLS label: Note: to match the second VLAN tag use "vlan & vlan & ether & 224" on the left hand side of the equality. Match traffic where the first VLAN tag has an 802.1p marking of: Match traffic with an SVLAN of 100 and any CVLAN: Match any traffic with at least one VLAN tag: Match Cisco CDP / VTP / DTP / PAgP / UDLD: "ether dst 01:00:c2:00:00:00" (manpages say "ether proto stp" but I've had trouble with that) Note: if you want to strip off VLAN, MPLS, PPPoE or GRE headers from an existing pcap file, please see this post: Removing VLAN/MPLS/PPPoE/GRE Encapsulation Please comment if there is something you think I have missed or would like added. The filters are broadly grouped by purpose and I will try to add more as I think of them. These are capture filters, not display filters, and are equally applicable to Wireshark, tshark and tcpdump, since they all use the same pcap filter syntax. In wireshark the capture filter options are now hidden away and you have to double click on the interface under capture options to set or adjust the filter string. Since most of the hits on this blog seem to come from tshark filter related searches, and since I spend a good part of my day either running or analysing packet captures, I thought it might be useful to create a series of "tshark one-liners" in homage to the brilliant "sed one-liners" collection compiled by Eric Pement.
0 Comments
Leave a Reply. |