Need to apply filter on zigbee packets through command line

asked 2019-11-28 16:20:28 +0000

Neha malhotra gravatar image

Hi Team,

I have zigbee file in pcap format which contains around 3,20,000 packets. I need to apply filter on different fields( like snapshot,report attributes, read attributes on the zigbee packets) through command line, to narrow down the results, & to get the required data only in pcap format.

Could you please let me know the syntax how i can apply filter on zigbee packets.

Many Thanks!! Neha Malhotra

1 Answer

answered 2019-11-28 16:39:06 +0000

grahamb gravatar image

You'll need to use Wireshark display filter syntax with the -Y option. You may also need the -2 option to enable 2-pass processing as used in the GUI.

See the tshark man page for more info on tshark options and the zigbee field reference guide on the fields to use. Note there are a few zigbee sub-dissectors.

Thanks for providing input. could you please share syntax which specifies Zigbee fields name

Neha malhotra gravatar imageNeha malhotra ( 2019-11-28 16:49:01 +0000 )edit

I have no idea which (of the many) zigbee fields you're interested in, so taking an example the first zigbee dissector listed in the field reference guide currently in use (e.g. for Wireshark 3.0.6), ZigBee Application Framework (zbee_apf) and the first field listed there, zbee_apf.count, which is an 8 bit unsigned integer, I could create a filter of

-Y "zbee_apf.count == 42"

To determine which field name to use, either locate it in the reference guide, or using the GUI, load your capture, locate and select the field in the packet details pane and look at the field name in parentheses in the status bar. The field reference guide also informs you of the type of the field which affects the comparison operation you may use on it.

grahamb gravatar imagegrahamb ( 2019-11-28 16:58:56 +0000 )edit

Thanks for helping me out. I was trying to apply filter on field "zbee_zcl_se.met.attr.func_noti_flag.tunnel_message_pending" which accepts boolean value.

I entered the command in below syntax and getting error:

tshark -Y "zbee_zcl_se.met.attr.func_noti_flag.tunnel_message_pending == Yes" -r C:\Users\Automation3\Documents\SetA103.pcap -T pdml > C:\Users\Automation3\Documents\check.xml

Error message: Neither "zbee_zcl_se.met.attr.func_noti_flag.tunnel_message_pending" nor "Yes" are fields or protocol names.

Neha malhotra gravatar imageNeha malhotra ( 2019-11-28 17:21:00 +0000 )edit

As that field is a boolean you should compare to either of the boolean values 0 or 1.

What is your tshark version (-v)?

grahamb gravatar imagegrahamb ( 2019-11-28 17:48:15 +0000 )edit

Tshark version is 1.4. I have tried commands compatible with 1.4, but those are not yielding any results. Example: Zbee.zdp.channel_count

Syntax followed:

tshark -Y Zbee.zdp.channel_count -r C:\Users\Automation3\Documents\SetA103.pcap -T pdml > C:\Users\Automation3\Documents\check.xml

Thanks for quick response.

Neha malhotra gravatar imageNeha malhotra ( 2019-11-28 18:09:41 +0000 )edit

