This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capability of PCAP library to filter up to the ss7 application layer?

0
1

According to the ebook, pg 245(reader)/pg 222(book), the paragraph right above "Writing Capture Filters", the author states that the PCAP library aka Capture Filter may not be as powerful as the Display Filter of Wireshark, resulting in the latter requires more execution time.

My question: is Capture Filter (libpcap / Winpcap) capable of filtering data as deep as the SS7 application layer..

Thanks

Regards,

Eddie Choo

asked 26 Jul '11, 03:17

eddie%20choo's gravatar image

eddie choo
6691715
accept rate: 66%

edited 26 Jul '11, 03:18

i just noticed this paragraph:

While tcpdump can decode protocols, it cannot directly address many of them.The keywords defined in the tcpdump filter language are oriented toward Link layer (layer 2) and Transmission Control Protocol/Internet Protocol (TCP/IP) filtering.

pg 223(book)/pg 246 (reader)

Since it is always assumed that the MTP3 layer is equivalent to the TCP/IP layer and the Link Layer is equivalent to the MTP 1-2 layers, i think the answer to my question is no?

Thanks

(26 Jul '11, 03:24) eddie choo
1

Yes. As per my response to Jeff Morriss's answer, there are libpcap filters for MTP2 and MTP3 - not currently documented, which is a libpcap bug - but not for anything above that layer.

(26 Jul '11, 19:13) Guy Harris ♦♦

2 Answers:

1

Correct: libpcap does not currently have (capture) filters for SS7. It's not that it could not, but no one has implemented it.

answered 26 Jul '11, 07:05

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

1

More accurately, it doesn't have capture filters for SS7 above MTP3. The pcap-filter man page needs to be updated to describe the MTP2 and MTP3 filters libpcap does implement.

(26 Jul '11, 19:12) Guy Harris ♦♦

Doh! Silly me, looked at the documentation. (Actually I did try to look at the source, but couldn't figure it out enough to find anything... <sigh>)

(27 Jul '11, 06:15) JeffMorriss ♦

1

Depending on your requirements you could work around those limitations.

1) You could extend the wireshark/tshark with lua and packet tap which would save packets that match certain filters into separate files

2) You could capture files with tcpdump/dumpcap pipe them them to tshark which can then apply -R "display_filter" option

answered 26 Jul '11, 07:29

izopizo's gravatar image

izopizo
2024714
accept rate: 0%

You could filter for SCTP if that's the transport protocol and/or IP/port combination(s) to limit the captured packets.

(26 Jul '11, 21:35) Anders ♦