The IP Header Offsets

If you are not on the same network as Fred, but you can see his traffic, you'll need to filter on Fred's IP address^[15]. That means you now need to look into the IP header to set the filter. Figure 7 shows the IP header structure with its offsets listed in hexadecimal and decimal.

Figure 7: We’ll start using the Protocol offset value now that we’re above the data link layer.

If you only run IP over Ethernet, you could build this filter using the Packet offset and add 14d (or 0x0E) to all the values shown above (the Ethernet II header is 14 bytes long). This means the IP Version field would be at offset 0x0E/14d.

Using the offsets shown in Figure 7, consider the filters you could build based on the Protocol field in the IP header.

Besides building filters on the offsets shown in Figure 7, you may also want to dig further into the packet and build offsets on fields that do not end on a simple even or odd byte offset. For example, look at the Flags or Fragment Offset field in the IP header. There may be a time when you want to build a filter to check for all fragmented packets on your network. Check out Chapter 4 "Pattern Filters" for the details on building a filter to look for fragments on your network.

^[15]Remember that routers strip off and reapply the Ethernet (or Token Ring, or whatever) header as they forward packets. If you are the other side of a router from Fred, you'll never see his hardware address in the source address field of the Ethernet header -- you will see the router's hardware address instead.