Here in this post i will explain how to filter capture based on byte level, as an example i will use EIGRP packets.
To filter capture based on EIGRP packets using Wireshark expression filter:
eigrp.opcode == 1
This will display only EIGRP updates, you can change the value to 2 (Request), 3 (Query), 4 (Replay) or 5 (Hello).
Filter capture based on byte offset -
Choose an EIGRP update packet and mark the opcode field (1):
When you mark the field on the packet detail pane, a field on the packet byte pane is also marked (2), now note that the byte 01 is found on a grey area which represent the EIGRP payload, this payload starts on byte 02, so to capture all EIGRP packets which in the second field there is a byte with value 01 we will use the following string:
PROTOCOL - the protocol we are filtering – it can be IP, EIGRP, OSPF, GRE whatever
START_FIELD - indicate the number of the field we are looking on that given protocol
NUMBER_OF_BYTES - number of bytes to count, in my example I used 1 so only one byte after the first byte.
OPERATOR - can be any given one – equal, not, large or less, equal, contain etc.
Here is another example which filters EIGRP packets with a value 002f on the 11th and 12th bytes field:
This method works on tcpdump and wireshark both on display and capture filters and can be used to capture any given packet with specific byte value.