This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to prepare a filter for TCPDUMP command in Linux Servers

0

Dear Team,

We have Linux OS installed on one of our nodes (which has SS7 stack) now if we want to filter packets which are submit towards network we use below command to do.

tcpdump -ni any sctp s0 -w filename.pcap

Now above command captures the all packets of ss7 layer, is it possible to prepare a filter on command line itself like ((gsm_sms.tp-mti == 0) && (gsm_map.imsi_digits == "404971026311824")) we do filtering in wireshark OR what type of filtering options are there.

Or can wireshark itself be helpful do so, because i tried using Interface remote but its not possible as server/node does have direct connectivity its via a different server.

asked 06 Aug '12, 23:14

creative's gravatar image

creative
6558
accept rate: 0%


One Answer:

0

tcpdump only supports capture filters, not Wireshark's (far richer) display filters. As such, you can't filter for things like gsm_sms.tp-mti with tcpdump. With capture filters you're limited to the things that libpcap understands. See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8), or, if that doesn't exist, http://wiki.wireshark.org/CaptureFilters .

answered 07 Aug '12, 07:51

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

...and Wireshark's capture filters are the same as tcpdump's capture filters, with the same limitations.

(07 Aug '12, 11:51) Guy Harris ♦♦

Thanks Jeff for your answer.

@Harris...what ? How Wireshark filters are same as tcpdump filters ???

(07 Aug '12, 19:22) creative
1

There are two kinds of "Wireshark filters" - capture filters, which are what are specified when you start a capture, and "display filters" (which can also be used, for example, for colorizing packets), which are specified when you have a capture. Wireshark capture filters are implemented by libpcap/WinPcap, just as tcpdump's filters are, so they're exactly the same as tcpdump filters. Wireshark display filters are implemented by Wireshark, and are much more capable than capture filters.

(08 Aug '12, 00:01) Guy Harris ♦♦

Thanks Harris :)

(08 Aug '12, 03:20) creative