0

This is with respect to a Wireshark Packet Capture Filter.

  1. IP packets whose IP version is not 4

Solution :

Filter: 

ip[0] & 0xF0      != 0x40
ip[0] & 1111 0000 != 64

Could anyone please provide clarity on how the above solution could be inferred?

Thanks in advance, Adam

Nacho
  • 1,104
  • 1
  • 13
  • 30
  • If my answer worked for you, [mark it as accepted](http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work). If it didn't, add a comment asking for clarification or corrections if needed (I guess you can only comment on your own question as per your current reputation, but no worries I will read it). – Nacho Apr 18 '16 at 19:55

1 Answers1

0

According to the IPv4 packet structure:

IPv4 header

You have the version in the first octet, in the upper nibble. Version for IPv4 packets is "4" as you can see in the picture, but remember it has to be in the upper nibble, hence the 0x40 in the filter (64 in decimal base).

So what your filter do is grab the first byte of the IP header and AND it with 0xF0 to be sure it's keeping the version part (upper nibble) and then check if it is different from 0x40 (IPv4 packet).

What you could also have done is: ip[0] & 0xf0 == 0x60

Which is the same as saying, keep only IPv6 packets. Version in a IPv6 packet is equal to 6. The position of the version information is the same as for a IPv4 header:

IPv6 header

Nacho
  • 1,104
  • 1
  • 13
  • 30