www.wireshark.org/tools/string-cf.html
IP Filters |
ip[0] & 0x0f |
low nibble: header length in 4octet words. should be 5 |
ip[1] |
type of service/QoS/DiffServ |
ip[2:2] |
total length of datagram in octets |
ip[4:2] |
IP ID number |
ip[6] & 0x80 |
reserved bit (possibly used for ECN) |
ip[6] & 0x40 |
DF bit |
ip[6] & 0x20 |
MF bit |
ip[6:2] & 0x1fff |
fragment offset (number of 8octet blocks) |
ip[8] |
ttl |
ip[9] |
protocol |
ip[10:2] |
header checksum |
ip[12:4] |
source IP |
ip[16:4] |
destination IP |
Samples |
(ip[12:4] = ip[16:4]) |
Src IP = Dest IP (land attack) |
ip[0] & 0xf0 |
high nibble: IP version. almost always 4 |
(ip[0] & 0xf0 != 0x40) |
IP versions !=4 |
(ip[0:1] & 0x0f > 5) |
IP with options set |
(ip[19] = 0xff) |
Broadcasts to x.x.x.255 |
(ip[19] = 0x00) |
Broadcasts to x.x.x.0 |
(ip and ip[1] & 0xfc == 0xb8) |
search for EF in DSCP |
(ip and ip[1] & 0xfc == 0x28) |
search for AF11 in DSCP |
(ip and ip[1] & 0xfc != 0x00) |
search for DCSP Packets != 0 |
|
|