Ask Your Question
0

How would I map this display filter to a capture filter?

asked 2018-01-19 05:41:20 +0000

Scott Harman gravatar image

Hi guys - I've got the following script that I've made fairly generic so we can capture all traffic on a subnet (or series of them)

SETLOCAL  EnableDelayedExpansion
set TSHARK="C:\Program Files (x86)\Wireshark\tshark"
set LOCATION=C:\temp\wireshark\
set NAME=bc4.pcapng
set net1=net 10.198.1
set net2=net 10.198.4
set net3=net 10.198.2
set net4=net 10.198.64
set net5=net 10.198.63
set ip_list=10.198.1.200
rem set socket_range=tcp port 2096 and tcp portrange 20000-20399
set "FILTER=(%net1% or %net2% or %net3% or %net4% or %net5%) and not udp portrange 2530-2500 and not port 5900"
for %%i in (%ip_list%) do set "FILTER=!FILTER! and ip src not %%i and ip dst not %%i"
if not exist %LOCATION% mkdir %LOCATION%
%TSHARK% -i 5 -b filesize:50000 -b files:2000 -f "%FILTER%" -w %LOCATION%%NAME%

I'd like to see if I can add a particular display filter, which is: sttp.offset == 0 - I don't think it's possible, but it will always be from UDP 2550, and it will be the first one in the stream (I just want to verify it's there) as the STTP traffic will make up about 80-90% of all the traffic in this instance.

User Datagram Protocol, Src Port: 2550, Dst Port: 64485 filtered traffic

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-01-19 06:50:47 +0000

Guy Harris gravatar image

OK, standard Wireshark has no dissector for a protocol named "STTP", so I don't know what protocol that is, and I had to ask The Great Gazoogle what it might be, because the mechanisms that implement capture filters (a mechanism in libpcap and various OS kernels, where the filter is compiled into a pseudo-machine program and interpretively executed or translated to machine code and executed) and display filters (implemented in Wireshark as something that uses the result of Wireshark's dissection of packets) are completely different, and there is no general mechanism for turning a display filter into a capture filter (and some display filters simply cannot be turned into display filters, as the BPF pseudo-machine does not support looping and thus cannot handle any protocol whose dissection requires a loop).

So we'll need to have a specification for this protocol.

If STTP is the Secure Token Transfer Protocol, then that's a text protocol carried on top of HTTP. Capture filters can't easily parse HTTP text (if they can do so at all), so that won't be possible.

If STTP is the Secure TBM Transfer Protocol, that also appears to be carried on top of HTTP, so that probably won't be possible, either.

If STTP is the Streaming Telemetry Transport Protocol, it's not obvious from a quick look at the spec which field would be the "offset" field, so I can't yet tell you whether it's even possible to filter on it at capture time, much less how a filter could be implemented if it is possible*.

If STTP is the Shaped Token-based Transport Protocol, we'd need a spec for that protocol in order to determine whether this is even possible, much less how such a filter could be implemented if it is possible. The same applies if it's the Stream Tone Transfer Protocol, or if it's none of the "STTP" protocols I've identified.

You may simply have to use udp port 2550, which will capture all STTP traffic; "the first one in the stream" cannot be implemented in a capture filter, as capture filters are stateless - the first STTP packet can't set a flag that will be checked for all subsequent STTP packets.

edit flag offensive delete link more

Comments

Thanks very much for the response Guy - it's our own protocol for media transfer between our hardware and software applications - would I be able to do something piping the capture filter into a display filter in a different tshark session?

Yes - doomed to failure - an example capture syntax I tried (multiple variations of)

%TSHARK% -i 5  -f "%FILTER%" | tshark -Y "sttp.offset == 0 || tcp" -b filesize:50000 -b files:2000 -w 
%LOCATION%%NAME% -i -

Error dumped after 35 or so packets was: $ generic_capture.bat tshark: Display filters aren't supported when capturing and saving the captured packets. Capturing on 'Hardwired Connection' 35 tshark: An error occurred while printing packets: Invalid argument.

The same issue occurs when trying to pipe output. There must be a way to do this. I don't mind using linux on the capture station rather than windows if that provides a mechanism.

The main issue ...(more)

Scott Harman gravatar imageScott Harman ( 2018-01-21 22:24:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-01-19 05:41:20 +0000

Seen: 1,504 times

Last updated: Jan 19 '18