1 | initial version |
OK, standard Wireshark has no dissector for a protocol named "STTP", so I don't know what protocol that is, and I had to ask The Great Gazoogle what it might be, because the mechanisms that implement capture filters (a mechanism in libpcap and various OS kernels, where the filter is compiled into a pseudo-machine program and interpretively executed or translated to machine code and executed) and display filters (implemented in Wireshark as something that uses the result of Wireshark's dissection of packets) are completely different, and there is no general mechanism for turning a display filter into a capture filter (and some display filters simply cannot be turned into display filters, as the BPF pseudo-machine does not support looping and thus cannot handle any protocol whose dissection requires a loop).
So we'll need to have a specification for this protocol.
If STTP is the Secure Token Transfer Protocol, then that's a text protocol carried on top of HTTP. Capture filters can't easily parse HTTP text (if they can do so at all), so that won't be possible.
If STTP is the Secure TBM Transfer Protocol, that also appears to be carried on top of HTTP, so that probably won't be possible, either.
If STTP is the Streaming Telemetry Transport Protocol, it's not obvious from a quick look at the spec which field would be the "offset" field, so I can't yet tell you whether it's even possible to filter on it at capture time, much less how a filter could be implemented if it is possible*.
If STTP is the Shaped Token-based Transport Protocol, we'd need a spec for that protocol in order to determine whether this is even possible, much less how such a filter could be implemented if it is possible. The same applies if it's the Stream Tone Transfer Protocol, or if it's none of the "STTP" protocols I've identified.
You may simply have to use udp port 2550
, which will capture all STTP traffic; "the first one in the stream" cannot be implemented in a capture filter, as capture filters are stateless - the first STTP packet can't set a flag that will be checked for all subsequent STTP packets.