I am trying to snoop a certain type of ping request (ping size N bytes) using tsharsk. On the remote machine running

ping 192.168.201.69 -s 30

I catch tshark by car

 ./tshark -i 3 -T json -c 10 -f "ether host <MAC удаленной машины> and icmp"

I do not understand how to specify the icmp.data.datalen field == 30 Studying mans, does not clarify me. Everywhere in the examples there is a usage of the icmp [icmptype] syntax, but I could not find where to look at all the available fields.

UPDATE

Judging by mana

ICMP-echoreply, icmp-unreach, icmp-source sequence, icmp-redirect, icmp-echo, icmp-routeradvert, icmp-routersolicit, icmp-timxceed, icmp-paramprob, icmp-tstamp, icmp -tstampreply, icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.

ICMP.data.len cannot be set to capture filter. But maybe I misunderstood something.

  • For linux this, tshark -f icmp and further - Denis E
  • one
    as an option, you can watch ip length, it is 28 bytes longer for ipv4 icmp-echo - * - packets: icmp && ip.len == 58 - Fat-Zer
  • @ Fat-Zer I think your comment can be counted as a solution. - JK_Action

0