I "inherited" a custom sniffer program that is capturing traffic using libpcap.

When I try to use display filters such as "http.request" and "http.response", no traffic is displayed in Wireshark. However, when I just use "http", I see all of the packets I would expect.

Can anyone give me some hints as to what I should be looking at more closely at this custom code that would affect the ability to use these filters? I'm not a libpcap expert

asked 28 Oct '11, 11:36

dturkel's gravatar image

dturkel
6112
accept rate: 0%


Another option: Your sniffer program limits the capture to the first 68 bytes of the frame. Then you'll have http, but the dissector is unable to parse an http request or response field. Hence the http display filter works, http.request and http.response don't.

link

answered 29 Oct '11, 11:13

Jaap's gravatar image

Jaap ♦
6.5k974
accept rate: 12%

The same thought occurred to me this morning over coffee. There was an option to provide the number of bytes to capture, and I increased this... and bingo, problem solved. Thanks very much!

(29 Oct '11, 15:19) dturkel

libpcap doesn't use Wireshark display filters, it uses capture filters. It seems that your custom sniffer appends your filter string to "port ", then feeds it to libpcap. That way "port http" results in BPF filter code, while compilation of "port http.request" and "http.response" does not.

link

answered 28 Oct '11, 15:08

Jaap's gravatar image

Jaap ♦
6.5k974
accept rate: 12%

Thanks Jaap.

What I'm trying to do is select/display a capture from the custom sniffer in Wireshark, applying the display filter "http.response".

The custom sniffer does not apply any filters (which is desired, because there are quite a few other non-http filters that need to be applied as well (e.g. for SMB and other higher-level protocols).

(28 Oct '11, 15:55) dturkel

libcap does not accept wireskark filters but tcpdump filters.

Look at justniffer for an example of sniffer using libcap libraries

link

answered 03 Nov '11, 04:13

Augustyn's gravatar image

Augustyn
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×25
×23

Asked: 28 Oct '11, 11:36

Seen: 1,428 times

Last updated: 03 Nov '11, 04:13

powered by OSQA