The following is a list of filter options available for free-hand filtering when Packet capturing in WinGate.
Filter | Description |
|---|---|
| packet.payload.byte | byte (8 bits) At an offset from the start of packet (start of ethernet header) (e.g. packet.payload.byte[2]) |
| packet.payload.word | word (16 bits) At an offset (e.g. packet.payload.word[2]) |
| packet.payload.dword | (dword) (32 bits) At an offset (e.g. packet.payload.word[2]) |
| packet.payload.nword | |
| packet.payload.ndword | |
| ethernet.dst | ethernet destination MAC address |
| ethernet.src | ethernet source MAC |
| ethernet.type | ethernet packet type (e.g 0x8000 = IP packet, 0x0806 = ARP) |
| ethernet.payload.byte | byte (8 bits) At an offset from start of ethernet payload (normally IP packet) |
| ethernet.payload.word | word (16 bits) At an offset (e.g. ethernet.payload.word[2]) |
| ethernet.payload.dword | (dword) (32 bits) At an offset (e.g. ethernet.payload.dword[2]) |
| ethernet.payload.nword | Used as an option to dword or word. When you wish to omit conversion to host byte ordering |
| ethernet.payload.ndword | |
| arp.hwaddresstype | hardware address type in ARP packet |
| arp.protoaddresstype | protocol address type in ARP packet |
| arp.hwaddresssize | hardware address size in ARP packet |
| arp.protoaddresssize | protocol address size in ARP packet |
| arp.operation | arp operation (request or response) |
| arp.sendermac | arp sender MAC address (who is doing the lookup) |
| arp.senderip | arp sender IP address |
| arp.targetmac | MAC address you are looking up |
| arp.targetip | IP address you are looking up |
| ip.payload.byte | payload of IP packet |
| ip.payload.word | |
| ip.payload.dword | |
| ip.payload.nword | |
| ip.payload.ndword | |
| ip.version | |
| ip.tos | |
| ip.length | |
| ip.id | |
| ip.frag | Value of the Packet fragmentation indicator. If a packet is not fragmented, this value is 0 (zero) or 0x0040. (0x0040 means it should not be fragmented by intermediate routers). |
| ip.ttl | 0 - 255 TTL value |
| ip.protocol | next level protocol (e.g. 6 = TCP, 1 = ICMP, 17 = UDP) |
| ip.checksum | checksum |
| ip.src | source IP address |
ip.dst | dest IP address |
| udp.src | UDP source port |
| udp.dst | UDP dest port |
| udp.length | UDP packet length (including header?) |
| udp.checksum | UDP checksum |
| tcp.src | TCP source port |
| tcp.dst | TCP dest port |
| tcp.seq | TCP sequence number |
| tcp.ack | TCP ack number |
| tcp.length | TCP length (header or payload?) |
| tcp.flags | TCP flags |
| tcp.window | TCP receive window |
| tcp.checksum | TCP checksum |
| tcp.urgent | TCP urgent pointer |
| tcp.port | TCP source or dest port (matches on either). When using tcp.port or udp.port filters, you can simply use the word port (instead of tcp.port or udp.port). |
| udp.port | UDP source or dest port (matches on either) |
| ip.addr | IP source or dest address (matches on either) |
| ip.address | IP source or dest address (matches on either) |
©2012 Qbik New Zealand Limited
no comments yet...
You can use basic Full-Text Searches against the page title and body to find matching articles. Use the following search modifiers to refine your query:
You can create a new account or reset your password at forum.wingate.com.