Getting ready
In layer 2, we will configure Ethernet-based filters, while in layer 3 we will configure IP filters. For Ethernet, we have filters based on the Ethernet frame and MAC address, while for IP we have filters based on the IP packet and addresses.
Common frame delta filters include the following:
- frame.time_delta: For the time delta between the current and previous captured frame (will be used in statistical graphs, in Chapter 6, Using Advanced Statistics Tools)
- frame.time_delta_displayed: For the time delta between the current and previous displayed frame (will be used in statistical graphs, in Chapter 6, Using Advanced Statistics Tools)
Since the time between frames can influence TCP performance significantly, we will use the frame.time_delta parameters in statistical graphs for monitoring TCP performance.
Common layer 2 (Ethernet) filters include the following:
- eth.addr == <MAC Address> for displaying a specific MAC address
- eth.dst == <MAC Address> or eth.src == <MAC Address> for source or destination MAC addresses
- eth.type == <Protocol Type (Hexa)> for Ethernet protocol types
Common ARP filters include the following:
- arp.opcode == <value> for ARP requests/responses
- arp.src.hw_mac == <MAC Address> for ARP sender
Common layer 3 (IP) filters include the following:
- ip.addr == <IP Address> for source or destination IP address
- ip.dst == <IP Address> or ip.src == <IP Address> for source or destination IP addresses
- ip.ttl == <value> or ip.ttl < value> or ip.ttl > <value> for IP Time-to-Live (TTL) values
- ip.len = <value> or ip.len > <value> or ip.len < <value> for IP packet length values
- ip.version == <4/6> for IP protocol version (version 4 or version 6)