This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter data by Capture Filter

0

Hi,

I would like to know who login on application and I see that by fltering the port 1100 and I have this type of line : 192.168.101.xxx 192.168.101.10 TCP 55482 > mctp [PSH, ACK] Seq=1352 Ack=195886 Win=65656 Len=163 But there are too many lines with this filter I need to filter data for this string "LoginData" but not after, during the capture, to not have too much lines (270Mb for one hour, and I want to make statistics on one month).

Thx in advance

asked 11 Dec '12, 07:51

Pheslot's gravatar image

Pheslot
1111
accept rate: 0%


2 Answers:

2

Capture filters are based on BPF and are executed in kernel space for speed. BPF is a sort of virtual machine with a limited instruction set. To optimize for speed and to make sure it is impossible to end up in an infinite loop, there is no way in BPF to search for a specific string in the whole packet. It can only look for strings at specific offsets.

So unless the string "LoginData" is always at the same offset in a packet, there is no way to do this with BPF.

However, if the string "LoginData" is always at the start of the packet, the following packet-filter might just be your friend :-)

tcp[0:4]=0x4c6f6769 and tcp[4:4]=0x6e446174 and tcp[8:1]=0x61

answered 11 Dec '12, 10:28

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hi SYN-bit,

Thank you but I'm not very familiar with that, what I can tell you it is that the whole packet is like that :

alt text

(12 Dec '12, 01:51) Pheslot

In this frame, the string LoginData starts at offset 0x006a. Since the packet looks like binary data (and not html for instance), it might just be that the string LoginData always starts at this offset. The filter would then become:

tcp[0x6a:4]=0x4c6f6769 and tcp[0x6e:4]=0x6e446174 and tcp[0x72:1]=0x61
(13 Dec '12, 15:28) SYN-bit ♦♦

0

I suggest to check ngrep.

http://ngrep.sourceforge.net/usage.html

This tools allows to search for strings in IP packets and if it finds the string, it will dump the content of the packet.

It does work on Linux and it should work on Windows.

Regards
Kurt

answered 14 Dec '12, 10:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 14 Dec '12, 10:47