Ask Your Question
0

How can I make display filter conditions to the same datagram?

asked 2020-03-19 19:24:43 +0000

NCTuser gravatar image

updated 2020-03-19 19:26:03 +0000

If I use the filter expression ecat.cmd == BRD && ecat.data == 0c:00 the wireshark will show the frames in which there is a datagram with BRD command and a datagram with data 0c:00 but these two conditions not necessary true for the same datagram. How can I filter the frames where there is datagram whereat both conditions are true? I know the ecat.sub1, ecat.sub2, ... fields but I do not know the exact position of the datagram in the frame. Maybe it is possible by using Lua script?

edit retag flag offensive close merge delete

Comments

EtherCAT can have multiple datagrams per frame.
You would like the filter to match frames only where the two conditions are in the same datagram.
If Wireshark display filters supported field occurrence then this might be possible.
An upvote for the bugs in this Ask question might help to get it added.

Chuckc gravatar imageChuckc ( 2020-03-19 20:02:32 +0000 )edit

18827: Ability to filter on occurrences of a field

an EtherCAT frame which contains five EtherCAT DLPDUs sequentially

If the ecat dissector were updated to add them as true PDUs, this could be solved with MATE.

Currently it is [Protocols in frame: eth:ethertype:ecatf:ecat] - a single PDU.

Frame 4: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)
Ethernet II, Src: MS-NLB-PhysServer-20_4f:23:98:cf (02:14:4f:23:98:cf), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
EtherCAT frame header
EtherCAT datagram(s): 7 Cmds, SumLen 14, 'BWR'... 
    EtherCAT datagram: Cmd: 'BWR' (8), Len: 2, Adp 0x5, Ado 0x120, Cnt 5
    EtherCAT datagram: Cmd: 'BRD' (7), Len: 2, Adp 0x5, Ado 0x130, Cnt 5
    EtherCAT datagram: Cmd: 'APRD' (1), Len: 2, Adp 0x5, Ado 0x130, Cnt 1
    EtherCAT datagram: Cmd: 'APRD' (1), Len: 2, Adp 0x4, Ado 0x130, Cnt 1
    EtherCAT datagram: Cmd: 'APRD ...
(more)
Chuckc gravatar imageChuckc ( 2024-06-24 10:37:23 +0000 )edit
add a comment

3 Answers

Sort by ยป oldest newest most voted
0

answered 2024-06-24 21:36:26 +0000

Chuckc gravatar image

Display filter macro to search for cmd/data pair:

"e1" ((ecat.sub1.cmd==$1)&&(ecat.sub1.data==$2))
"e2" ((ecat.sub2.cmd==$1)&&(ecat.sub2.data==$2))
"e3" ((ecat.sub3.cmd==$1)&&(ecat.sub3.data==$2))
"e4" ((ecat.sub4.cmd==$1)&&(ecat.sub4.data==$2))
"e5" ((ecat.sub5.cmd==$1)&&(ecat.sub5.data==$2))
"ecat_search1" ${e1;$1;$2} or ${e2;$1;$2} or ${e3;$1;$2} or ${e4;$1;$2} or ${e5;$1;$2}
"e6" ((ecat.sub6.cmd==$1)&&(ecat.sub6.data==$2))
"e7" ((ecat.sub7.cmd==$1)&&(ecat.sub7.data==$2))
"e8" ((ecat.sub8.cmd==$1)&&(ecat.sub8.data==$2))
"e9" ((ecat.sub9.cmd==$1)&&(ecat.sub9.data==$2))
"e10" ((ecat.sub10.cmd==$1)&&(ecat.sub10.data==$2))
"ecat_search2" ${e6;$1;$2} or ${e7;$1;$2} or ${e8;$1;$2} or ${e9;$1;$2} or ${e10;$1;$2}
"ecat_search" ${ecat_search1;$1;$2} or ${ecat_search2;$1;$2}
edit flag offensive delete link more
add a comment
0

answered 2024-06-24 20:59:39 +0000

Guy Harris gravatar image

Wireshark issue 8178 discusses the problem of indicating that a packet-matching expression with multiple terms combined with "and"/"or" should apply all of the terms to a single PDU, rather than, if there are multiple "xxx" protocol PDUs in the frame, matching "xxx.a == y and xxx.b == z" if one PDU has an "xxx.a" field with the value "y" and the other PDU has an "xxx.b" field with the value "z".

It is still open.

edit flag offensive delete link more
add a comment
0

answered 2024-06-24 17:54:53 +0000

Chuckc gravatar image

I haven't had any luck finding a capture where a BRD datagram also has data.
EtherCAT datagram: Cmd: 'BRD' (7), Len: 2, Adp 0x0, Ado 0x130, Cnt 0

MATE extract the cmd fields as hex so the display filter search would be for "0x07".

MATE code to allow search for a specific cmd/data pair:

Pdu sub1_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub1.cmd;
    Extract data From ecat.sub1.data;
};

Gop sub1_gop On sub1_pdu Match (cmd, data) {
    Start (cmd, data);
};

Pdu sub2_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub2.cmd;
    Extract data From ecat.sub2.data;
};

Gop sub2_gop On sub2_pdu Match (cmd, data) {
    Start (cmd, data);
};

Pdu sub3_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub3.cmd;
    Extract data From ecat.sub3.data;
};

Gop sub3_gop On sub3_pdu Match (cmd, data) {
    Start (cmd, data);
};

Pdu sub4_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub4.cmd;
    Extract data From ecat.sub4.data;
};

Gop sub4_gop On sub4_pdu Match (cmd, data) {
    Start (cmd, data);
};

Pdu sub5_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub5.cmd;
    Extract data From ecat.sub5.data;
};

Gop sub5_gop On sub5_pdu Match (cmd, data) {
    Start (cmd, data);
};

Pdu sub6_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub6.cmd;
    Extract data From ecat.sub6.data;
};

Gop sub6_gop On sub6_pdu Match (cmd, data) {
    Start (cmd, data);
};

Pdu sub7_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub7.cmd;
    Extract data From ecat.sub7.data;
};

Gop sub7_gop On sub7_pdu Match (cmd, data) {
    Start (cmd, data);
};

Pdu sub8_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub8.cmd;
    Extract data From ecat.sub8.data;
};

Gop sub8_gop On sub8_pdu Match (cmd, data) {
    Start (cmd, data);
};

Pdu sub9_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub9.cmd;
    Extract data From ecat.sub9.data;
};

Gop sub9_gop On sub9_pdu Match (cmd, data) {
    Start (cmd, data);
};

Pdu sub10_pdu Proto ecat Transport mate {
    Extract cmd From ecat.sub10.cmd;
    Extract data From ecat.sub10.data;
};

Gop sub10_gop On sub10_pdu Match (cmd, data) {
    Start (cmd, data);
};

Gog ecat_gog {
    Member sub1_gop (cmd, data);
    Member sub2_gop (cmd, data);
    Member sub3_gop (cmd, data);
    Member sub4_gop (cmd, data);
    Member sub5_gop (cmd, data);
    Member sub6_gop (cmd, data);
    Member sub7_gop (cmd, data);
    Member sub8_gop (cmd, data);
    Member sub9_gop (cmd, data);
    Member sub10_gop (cmd, data);
};

Done;

Display filter example: (mate.ecat_gog.cmd == "0x04") && (mate.ecat_gog.data == "06:00")

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-03-19 19:24:43 +0000

Seen: 210 times

Last updated: Jun 24

Related questions

How to see the FCS in Ethernet frames?

Ethercat Frames are not being recorded due to Symantec EP

How to aquire treenode name from tree in post-dissector?

How to display slice as a filter in column?

Filtering ethercat packets: trying to see a distributed clock

EtherCAT: Export/display datagram data (e.g., dc system time 0x910)