(1). If possible can you please explain what it means

"to be applied during the first pass of analysis. Packets not matching the filter are not considered for future passes. Only makes sense with multiple passes, see -2."

"Note that forward-looking fields such as 'response in frame #' cannot be used with this filter, since they will not have been calculate when this filter is applied."

(2). How to apply a filter to display frames related only to

tcp.options.mss_val==1500

instead of applying filter

tcp.options.mss_val

This didn't work  -z tcp.oprions.mss_val==1500

(3). Here is the frame that includes bunch of protocols captured in Frame 3. With

 print "$src_addr:$src_port -> $dst_addr:$dst_port  MSS=$mss\n";

we have output

1.1.1.1,2.2.2.2:xxxxx -> 3.3.3.3:yyyyy MSS=zzzzz

How can I differentiate different source address ipv4, ipv6 address captured at various instances in 

 while(<$ts>) {
    chomp;
    my ($src_addr,$src_port,$dst_addr,$dst_port,$mss) = split /\t/;
    print "$src_addr:$src_port -> $dst_addr:$dst_port  MSS=$mss\n";
}

[download]

Protocol captured in a example frame

[Protocols in frame: eth:ip:gre:mpls:pwethheuristic:pwethnocw:eth:vlan
+:ip:gre:eth:vlan:ipv6:icmpv6]

[download]

Complete example frame with source and destination address's modified

Frame 3: 198 bytes on wire (1584 bits), 198 bytes captured (1584 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jun 17, 2014 10:28:30.759871000 Western Daylight Tim
+e
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1403015310.759871000 seconds
    [Time delta from previous captured frame: 0.120287000 seconds]
    [Time delta from previous displayed frame: 0.120287000 seconds]
    [Time since reference or first frame: 0.599182000 seconds]
    Frame Number: 3
    Frame Length: 198 bytes (1584 bits)
    Capture Length: 198 bytes (1584 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:gre:mpls:pwethheuristic:pwethnocw:eth:
+vlan:ip:gre:eth:vlan:ipv6:icmpv6]
Ethernet II, Src: Cisco_00:00:00 (00:00:00:00:00:00), Dst: Vmware_11:1
+1:11 (11:11:11:11:11:11)
    Destination: Vmware_11:11:11 (11:11:11:11:11:11)
        Address: Vmware_11:11:11 (11:11:11:11:11:11)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Source: Cisco_00:00:00 (00:00:00:00:00:00)
        Address: Cisco_00:00:00 (00:00:00:00:00:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 1.1.1.1 (1.1.1.1), Dst: 3.3.3.3 (3.3
+.3.3)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; 
+ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0010 00.. = Differentiated Services Codepoint: Class Selector 
+1 (0x08)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN
+-Capable Transport) (0x00)
    Total Length: 184
    Identification: 0xd1a9 (53673)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 254
    Protocol: GRE (47)
    Header checksum: 0x3f36 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 1.1.1.1 (1.1.1.1)
    Destination: 3.3.3.3 (3.3.3.3)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Generic Routing Encapsulation (MPLS label switched packet)
    Flags and Version: 0x0000
        0... .... .... .... = Checksum Bit: No
        .0.. .... .... .... = Routing Bit: No
        ..0. .... .... .... = Key Bit: No
        ...0 .... .... .... = Sequence Number Bit: No
        .... 0... .... .... = Strict Source Route Bit: No
        .... .000 .... .... = Recursion control: 0
        .... .... 0000 0... = Flags (Reserved): 0
        .... .... .... .000 = Version: GRE (0)
    Protocol Type: MPLS label switched packet (0x8847)
MultiProtocol Label Switching Header, Label: 902, Exp: 0, S: 1, TTL: 2
+55
    0000 0000 0011 1000 0110 .... .... .... = MPLS Label: 902
    .... .... .... .... .... 000. .... .... = MPLS Experimental Bits: 
+0
    .... .... .... .... .... ...1 .... .... = MPLS Bottom Of Label Sta
+ck: 1
    .... .... .... .... .... .... 1111 1111 = MPLS TTL: 255
Ethernet II, Src: Cisco_00:00:00 (00:00:00:00:00:00), Dst: AlcatelL_22
+:22:22 (22:22:22:22:22:22)
    Destination: AlcatelL_22:22:22 (22:22:22:22:22:22)
        Address: AlcatelL_22:22:22 (22:22:22:22:22:22)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Source: Cisco_00:00:00 (00:00:00:00:00:00)
        Address: Cisco_00:00:00 (00:00:00:00:00:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1198
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = CFI: Canonical (0)
    .... 0100 1010 1110 = ID: 1198
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 2.2.2.2 (2.2.2.2), Dst: 4.4.4.4 (4.4
+.4.4)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xb0 (DSCP 0x2c: Unknown DSCP; ECN:
+ 0x00: Not-ECT (Not ECN-Capable Transport))
        1011 00.. = Differentiated Services Codepoint: Unknown (0x2c)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN
+-Capable Transport) (0x00)
    Total Length: 138
    Identification: 0x0000 (0)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 61
    Protocol: GRE (47)
    Header checksum: 0xa2dd [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 2.2.2.2 (2.2.2.2)
    Destination: 4.4.4.4 (4.4.4.4)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Generic Routing Encapsulation (Transparent Ethernet bridging)
    Flags and Version: 0x0000
        0... .... .... .... = Checksum Bit: No
        .0.. .... .... .... = Routing Bit: No
        ..0. .... .... .... = Key Bit: No
        ...0 .... .... .... = Sequence Number Bit: No
        .... 0... .... .... = Strict Source Route Bit: No
        .... .000 .... .... = Recursion control: 0
        .... .... 0000 0... = Flags (Reserved): 0
        .... .... .... .000 = Version: GRE (0)
    Protocol Type: Transparent Ethernet bridging (0x5555)
Ethernet II, Src: Apple_33:33:33 (33:33:33:33:33:33), Dst: IPv6mcast_4
+4:44:44:44 (44:44:44:44:44:44)
    Destination: IPv6mcast_44:44:44:44 (44:44:44:44:44:44)
        Address: IPv6mcast_44:44:44:44 (44:44:44:44:44:44)
        .... ..1. .... .... .... .... = LG bit: Locally administered a
+ddress (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multica
+st/broadcast)
    Source: Apple_33:33:33 (33:33:33:33:33:33)
        Address: Apple_33:33:33 (33:33:33:33:33:33)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 102
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = CFI: Canonical (0)
    .... 0000 0110 0110 = ID: 102
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::6666:44ff:fe00:4444 (fe80::666
+6:44ff:fe00:4444), Dst: ff00::00 (ff00::00)
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" pos
+sible: 6]
    .... 0000 0000 .... .... .... .... .... = Traffic class: 0x0000000
+0
        .... 0000 00.. .... .... .... .... .... = Differentiated Servi
+ces Field: Default (0x00000000)
        .... .... ..0. .... .... .... .... .... = ECN-Capable Transpor
+t (ECT): Not set
        .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 56
    Next header: IPv6 hop-by-hop option (0)
    Hop limit: 1
    Source: fe80::6666:44ff:fe00:4444 (fe80::6666:44ff:fe00:4444)
    [Source SA MAC: Apple_33:33:33 (33:33:33:33:33:33)]
    Destination: ff00::00 (ff00::00)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
    Hop-by-Hop Option
        Next header: ICMPv6 (58)
        Length: 0 (8 bytes)
        IPv6 Option (PadN)
            Type: PadN (1)
            Length: 0
            PadN: <MISSING>
        IPv6 Option (Router Alert)
            Type: Router Alert (5)
            Length: 2
            Router Alert: MLD (0)
Internet Control Message Protocol v6
    Type: Multicast Listener Report Message v2 (143)
    Code: 0
    Checksum: 0xc46c [correct]
    Reserved: 0000
    Number of Multicast Address Records: 2
    Multicast Address Record Changed to exclude: ff02::2:ff33:333
        Record Type: Changed to exclude (4)
        Aux Data Len: 0
        Number of Sources: 0
        Multicast Address: ff02::2:ff33:333 (ff02::2:ff33:333)
    Multicast Address Record Changed to exclude: ff02::1:ff44:4444
        Record Type: Changed to exclude (4)
        Aux Data Len: 0
        Number of Sources: 0
        Multicast Address: ff02::1:ff44:4444 (ff02::1:ff44:4444)

[download]

Thank you

In reply to Re^6: filter tcpdump packets by Anonymous Monk
in thread filter tcpdump packets by syboar

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.