Wireshark-users: Re: [Wireshark-users] Betr: custom columns?
From: "Luis EG Ontanon" <luis@xxxxxxxxxxx>
Date: Tue, 12 Aug 2008 23:56:38 +0200
Wow! 26 bytes of payload in 120 bytes on the wire (78%).

By now if header sizes do not change you can use stuff like :
frame[offset_of_src_addr_number_N:6] == 00:12:1e:9b:85:fe

It's already there, it works!



As per my concept it would work this way (in your case it would not be
that helpful)

ETH|IP|GRE|MPLS|ETH|MPLS|ETH|IP|XXX

eth.src would be all

eth.src/mpls would be the following two

ip.src/mpls would be that of the transported packet
ip.src/eth would be both
ip.src/frame would be the first one only


something like an {n} operator to reduce the match to the nth instance
would be needed to pin-point the specific ones.


On Tue, Aug 12, 2008 at 11:37 PM, Marlon Duksa <mduksa@xxxxxxxxx> wrote:
> Luis - how would this work in this packet:
>
> No.     Time        Source                Destination           mpls1
>   15256 30.489742   11.0.0.4              5.5.5.5               800012
>
> Frame 15256 (120 bytes on wire, 120 bytes captured)
> Ethernet II, Src: TimetraN_0d:45:6c (00:03:fa:0d:45:6c), Dst:
> LinksysG_80:7e:ba (00:04:5a:80:7e:ba)
> Internet Protocol, Src: 100.100.100.100 (100.100.100.100), Dst: 7.7.7.7
> (7.7.7.7)
> Generic Routing Encapsulation (MPLS label switched packet)
> MultiProtocol Label Switching Header, Label: 2051, Exp: 0, S: 1, TTL: 255
> Ethernet II, Src: JuniperN_9b:85:fe (00:12:1e:9b:85:fe), Dst:
> JuniperN_9b:89:f9 (00:12:1e:9b:89:f9)
> MultiProtocol Label Switching Header, Label: 800012, Exp: 0, S: 1, TTL: 255
> Ethernet II, Src: Xerox_00:00:03 (00:00:07:00:00:03), Dst: Xerox_00:00:03
> (00:00:03:00:00:03)
> Internet Protocol, Src: 11.0.0.4 (11.0.0.4), Dst: 5.5.5.5 (5.5.5.5)
> Data (26 bytes)
>
>
> Let say I want custom columns for the three fields in red.
> Thanks,
> kris
>
>
> On Tue, Aug 12, 2008 at 2:14 PM, Luis EG Ontanon <luis@xxxxxxxxxxx> wrote:
>>
>> I been thinking for long time to implement the "/" (over) operator:
>>
>> "y/x" meaning "y when preceded by x i the frame".
>>
>> E.G:
>>
>> Take a frame made of ETH|IP|UDP|TunProt|IP|ICMP|UDP
>>
>> "ip/tunprot" would read "ip over tunprot" and would be equivalent to
>> "ip" if only the last ip header was there so that "ip.src/tunprot"
>> would be just that one "ip.src" not any of those in the tree.
>>
>> "udp.port/icmp" (or "udp.port/tunprot") is that of the udp header
>> after icmp (and tunprot), not the one before.
>>
>> "udp.port/ip" would be redundant (i.e. as it works now).
>>
>>
>> Any comments?
>>
>>
>> On Tue, Aug 12, 2008 at 8:34 PM, Marlon Duksa <mduksa@xxxxxxxxx> wrote:
>> > ok Thanks.
>> > Just a suggestion if the development community reads this at all.
>> > It would be very useful (at least to me), to have this functionality in
>> > the
>> > form of the filter where you can specify the instance as well:
>> >
>> > For example:
>> > header.filed.inst   or
>> > eth.src.x - where 'x' would be the instance number of the ethernet
>> > header in
>> > the frame.
>> > Thanks again.
>> > Marlon
>> >
>> > On Tue, Aug 12, 2008 at 11:04 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>> >>
>> >> On Aug 12, 2008, at 9:46 AM, Marlon Duksa wrote:
>> >>
>> >> > Hi Joan - this is good and it solves my problem partially. It looks
>> >> > like that if I do it this way, and if I have repeating headers in my
>> >> > frames, that the filter will always pick up the last one (the
>> >> > deepest header in the frame). Do you know if I can specify which
>> >> > header I want to filter on?
>> >>
>> >> No, you can't, unfortunately.
>> >> _______________________________________________
>> >> Wireshark-users mailing list
>> >> Wireshark-users@xxxxxxxxxxxxx
>> >> https://wireshark.org/mailman/listinfo/wireshark-users
>> >
>> >
>> > _______________________________________________
>> > Wireshark-users mailing list
>> > Wireshark-users@xxxxxxxxxxxxx
>> > https://wireshark.org/mailman/listinfo/wireshark-users
>> >
>> >
>>
>>
>>
>> --
>> This information is top security. When you have read it, destroy yourself.
>> -- Marshall McLuhan
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>



-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan