How to do it...
In this section, we will see some common examples of layer 2/layer 3 filters:
Address format | Syntax | Example |
Ethernet (MAC) address | eth.addr == xx:xx:xx:xx:xx:xx where x is 0 to f |
eth.addr == 00:50:7f:cd:d5:38 |
eth.addr == xx-xx-xx-xx-xx-xx where x is 0 to f |
eth.addr == 00-50-7f-cd-d5-38 | |
eth.addr == xxxx.xxxx.xxxx where x is 0 to f |
eth.addr == 0050.7fcd.d538 | |
Broadcast MAC address | Eth.addr == ffff.ffff.ffff | |
IPv4 host address | ip.addr == x.x.x.x where x is 0 to 255 |
Ip.addr == 192.168.1.1 |
IPv4 network address | ip.addr == x.x.x.x/y where x is 0 to 255, y is 0 to 32 |
ip.addr == 192.168.200.0/24 (all addresses in the network 192.168.200.0 mask 255.255.255.0) |
IPv6 host address | ipv6.addr == x:x:x:x:x:x:x:x ipv6.addr == x::x:x:x:x where in the format of nnnn, n is 0 to f (hex) |
ipv6.addr == fe80::85ab:dc2e:ab12:e6c7 |
IPv6 network address | ipv6.addr == x::/y where x is 0 to f (hex), y is 0 to 128 |
ipv6.addr == fe80::/16 (all addressees that start with the 16 bits fe80) |
The table refers to ip.addr and ipv6.addr filter strings. The value for any field that has an IP address value can be written the same way.
Ethernet filters:
- Display only packets sent from or to specific MAC addresses:
- eth.src == 10:0b:a9:33:64:18
- eth.dst == 10:0b:a9:33:64:18
- Display only broadcasts:
- Eth.dst == ffff.ffff.ffff or Eth.dst == ff:ff:ff:ff:ff:ff
ARP filters:
- Display only ARP requests:
- arp.opcode == 1
- Display only ARP responses:
- arp.opcode == 2
IP and ICMP filters:
- Display only packets from specific IP addresses:
- ip.src == 10.1.1.254
- Display only packets that are not from a specific address:
- !ip.src == 64.23.1.1
- Display only packets between two hosts:
- ip.addr == 192.168.1.1 and ip.addr == 200.1.1.1
- Display only packets that are sent to multicast IP addresses:
- ip.dst == 224.0.0.0/4
- Display only packets coming from network 192.168.1.0/24 (mask 255.255.255.0):
- ip.src==192.168.1.0/24
- Display only IPv6 packets to/from specific addresses:
- ipv6.addr == ::1
- ipv6.addr == 2008:0:130F:0:0:09d0:666A:13ab
- ipv6.addr == 2006:0:130f::9c2:876a:130b
- ipv6.addr == ::
Complex filters:
- Packets from network 10.0.0.0/24 to a website that contains the word packt:
- ip.src == 10.0.0.0/24 and http.host contains "packt"
- Packets from networks 10.0.0.0/24 to websites that end with .com:
- ip.addr == 10.0.0.0/24 and http.host matches ".com$"
- All broadcasts from source IP address 10.0.0.3:
- ip.src == 10.0.0.0/24 and eth.dst == ffff.ffff.ffff
- All broadcasts that are not ARP requests:
- not arp and eth.dst == ffff.ffff.ffff
- All packets that are not ICMP and not ARP:
- !arp || !icmp or not arp&¬ icmp