The ability to look for a field or a field value at a specific layer is one of the many cool display filter enhancements recently added to Wireshark. Have you had a chance to play with it yet?
Here's a free (and short) Wireshark lab that will give you a feel for the layered display filter feature.
Step 1: Grab the Trace File for This Free Lab
Download whatup.pcapng.
If you spend a moment looking through this trace file, you'll notice some suspicious activity right away - port scans, a TLS handshake failure, a MySQL error response, etc.
This is a trace file I use in classes to teach folks how to customize Wireshark to quickly detect all types of errors.
We will use this file to examine the layered display filter feature. Try not to get distracted by the concerning packets (or have fun detecting them).
Step 2: Filter on ip.dst
Apply a display filter for ip.dst == 192.168.1.5. This filter displays all packets that contain 192.168.1.5 in any IPv4 destination address (ip.dst) field. Your filter should display 4812 packets.
But what if you are working with traffic that contains protocols embedded within protocols? For example, ICMP Destination Unreachable packets echo back part of the packet that triggered the Destination Unreachable response (the IP header and 8 bytes of whatever followed it... although most stacks echo back more than just 8 bytes if they exist).
Step 3: Apply a Layered Filter
To filter on the ip.dst address field contained in the second IP header of packets, you must use a layered display filter. You must tell Wireshark in what layer you are interested. In this case, we are interested in the second layer.
Apply a filter for ip.dst#2 == 192.168.1.5.
Only one frame (#2223) should match your filter. That is the only frame that contains 192.185.1.5 in the second ip.dst field.
You can also use a range in your layered filters. For example, if you have 4 layers of embedding of the same protocol, you can indicate that you are only interested in the first three layers of a field occurrence using the syntax fieldname#[1-3]==value.
Enjoy!