Some more useful filters:

• ip multicast: IP multicast packets
• ip broadcast: IP broadcast packets
• ip[2:2] == <number>: IP packet size (bytes 3 and 4 of the IP header)
• ip[8] == <number>: TTL value (byte 9 of the IP header)
• ip[12:4] = ip[16:4]: IP source equal to IP destination address (bytes 13-16 are equal to bytes 17-20)
• ip[2:2]==<number>: Total length of IP packet (bytes 3 and 4 equals <number>)
• ip[9] == <number>: Protocol identifier (byte 10 equals number)

These filters are further explained in the Configuring byte offset and payload matching filters recipe at the end of this chapter. The principle, as illustrated further, is that the first number in the brackets defines how many bytes there are from the beginning of the protocol header, and the second number indicates how many bytes to watch: