Search code examples
wiresharkethernetraw-ethernet

wireshark display filter on specific byte in a raw ethernet packet


I am trying to filter packets where the 15th byte (i.e. the 1st payload byte after the 14 byte header) is a specific value, either 0x00 or 0x01.

The packets I am interested in are raw ethernet, i.e. at the logical-link control layer so I also filter on LLC as the protocol

Here is what I tried:

llc && (frame[14:1] == 00 || frame[14:1] == 01)

this comes up green so I'm pretty sure the syntax is correct. Its only displaying packets where Protocol is LLC but its also letting through packets where the 15th byte is 0x02 which I want to avoid

Any ideas how I can succesfully target the 15th byte value, or to put it another way, the 1st byte value of the payload?

example packet (copied from wireshark) where 15th byte is 0x00:

0000   01 01 01 01 01 01 02 02 02 02 02 02 00 0e 00 05  ................
0010   00 00 00 05 00 00 00 00 00 00 00 01              ............

example packet where 15th byte is 0x01:

0000   02 02 02 02 02 02 01 01 01 01 01 01 00 0a 01 05  ................
0010   00 00 00 0d 00 00 00 f1 00 00 00 00 00 00 00 00  ................
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030   00 00 00 00 00 00 00 00 00 00 00 00              ............

I'd like to have wireshark display both these packets

There is a 3rd type of packet where the 15th byte is 0x02:

0000   02 02 02 02 02 02 01 01 01 01 01 01 00 39 02 ec  .............9..
0010   41 61 02 a2 21 44 2b 0c 00 02 00 1c 0c 02 00 00  Aa..!D+.........
0020   00 00 00 00 00 00 00 00 00 00 00 ee 91 20 04 46  ............. .F
0030   22 44 2b cc 01 03 00 00 00 00 00 00 00 00 00 00  "D+.............
0040   00 00 00 00 00 00 00                             .......

This type of packet I would like to exclude with the filter. My filter above still displays these 0x02 packets.


Solution

  • Here is the wireshark display filter requested:

    llc and (frame[14] == 0 or frame[14] == 1)
    

    Wireshark counts the first byte in each frame as byte 0, so the 15th byte is frame[14]. You do not need the colon for a single byte (as described in the docs). and and && are equivalent. or and || are also equivalent.