Ask Your Question
0

Map LLRP capture info to display filter?

asked 2020-01-31 14:35:12 +0000

WSharkScreenName gravatar image

Hi,

I have captured network traffic includes LLRP transactions. In the "Info" column there are descriptions like: (Get Reader Config), (Get Reader Config Response), (Delete AccessSpec), (Keepalive), and more.

I would like to apply display filters to this. Through trial and error, I have figured out how to filter on, Get Reader Config, Get Reader Config Response, & RO Access Report.

The trial & error method is tedious. The issue for me is that the descriptions in the "Info" column do not reflect anything about the filter name. Is there a way to map these to make finding the correct filter easier?

For example, I have:

Low Level Reader Protocol

...0 01.. = Version: 1.0.1 (1)
.... ..00 0011 1110 = Type: Keepalive (62)
Length: 10
ID: 36225

I would like to filter out these from the display with llrp.xxxxx.yyyyyyy. The only filter with the phrase "alive" in the filter list is "llrp.param.keepalive_trig_type". BUT, this does not filter the Keepalive packets I have captured. Instead, "llrp.param.keepalive_trig_type" displays "Set Reader Config" & "Get Reader Config Response".

Is there a simple way that these "Info" descriptions and filter selections can be mapped\related?

edit retag flag offensive close merge delete

Comments

Here are the associations I have figured out so far. They may be helpful to other users:

llrp.param.conf_value          = (Get Reader Config Response)
llrp.param.gpi_config          = (Get Reader Config Response)
llrp.param.keepalive_trig_type = (Set Reader Config),(Get Reader Config Response) shows both
llrp.req_conf                  = (Get Reader Config)
llrp.param.access_result       = (RO Access Report)

(I hate not having fixed width Courier font as an option here. Also had to put in a bunch of blank lines because of the default formatting)

I'm not sure why different filters seem to act on the command such as (Get Reader Config Response).

WSharkScreenName gravatar imageWSharkScreenName ( 2020-01-31 16:23:34 +0000 )edit

@WSharkScreenName, use the "code formatting" option to get fixed width markdown.

grahamb gravatar imagegrahamb ( 2020-01-31 16:35:49 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-31 15:15:48 +0000

Jaap gravatar image

Simple? That depends. If you're comfortable reading source code you can find how the Info column text is composed, and which protocol tree items are added doing that. The field info defines the available display filters. If all this makes no sense then no, this is not simple. As said the composition of the Info column is independent of the construction of the protocol tree, as seen in the packet details, were the display filter applies.

edit flag offensive delete link more

Comments

I will not be allowed time to learn Wireshark code. I am pretty loaded with our own code work. I will just work though it. I just don't have the time to become WS code or user expert at this point. Thanks for clarification on this matter though.

WSharkScreenName gravatar imageWSharkScreenName ( 2020-01-31 16:28:51 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-01-31 14:35:12 +0000

Seen: 356 times

Last updated: Jan 31 '20

Related questions

display filtering and sll?

many to many comparision [display private networks as example]

ip.flags.sf not supported?

Is it possible to filter to ignore capture before and after a particular time stamps?

Why are ranges not possible in display filter frame.number?

Filter only within displayed packets (without re-analyzing entire file)

I cannot enter a filter for tcp port 61883. What is so special about this number?

tshark smtp filter decode.

Wireshark expression filters (Wireless Capture)

Updating MATE config