Wireshark Filter – OSPF Database Description Link State ID

ipv4ospfpacket-analysiswireshark

Within Wireshark, how would one write a display filter for the IP address of the Link State ID within an OSPF Database Description packet? The Link State ID addresses are found within the LSA Header of the DB Description packet.

Best Answer

Display Filter by advertising Router-ID:

This display filter will get you close as I can come up with...

ospf.msg.dbdesc == 1 and ospf contains <adv-router-id-as-hex>

For instance, if your advertising router is 1.1.1.1...

ospf.msg.dbdesc == 1 and ospf contains 01.01.01.01

However, the problem is that contains 01.01.01.01 matches any string contents with 01.01.01.01, so both 01.01.01.01 or 01.01.01.01.ff could match... furthermore, it's possible that some other packet in the DBD also contains a reference to that router-id.

Display Filter by advertising Link-State ID:

This is a little easier, because there is a better chance to find a unique string; as long as you know the type of LSA you're looking for. The OSPF RFC requires the packet to get sent with <lsa-type-4bits>.<link-id-4bytes>, so the display filter is:

ospf.msg.dbdesc == 1 and ospf contains <lsa-type>.<link-id>

For example, the display filter to find a Network Summary LSA (LSA Type 3) with the ID of 10.4.27.0 (hex 0a.04.1b.00):

ospf.msg.dbdesc == 1 and ospf contains 03.0a.04.1b.00

Another example, the display filter to find an External LSA (LSA Type 5) with the ID of 10.4.27.0 (hex 0a.04.1b.00):

ospf.msg.dbdesc == 1 and ospf contains 05.0a.04.1b.00

FYI, these are the numbers corresponding to the LSA types

Best Answer

Related Solutions

Cisco OSPF – Type 5 /32 Routes in Database but Not in Routing Table

OSPF Routing – Advertising Router and Link State ID in OSPF

Related Topic