Ask Your Question
0

Capture Filter for FRAMES

asked 2020-07-16 23:28:44 +0000

appreciated gravatar image

updated 2020-07-16 23:29:56 +0000

Hello,

I need to capture a frame lets call it "text".

For now I use a Display Filter this way: Frame contains "text"

It works fine, BUT because it's just display filter Wireshark captures a lot in background. (Server 24/7)

So the problem is, filtering the results after a few hours take ages. It's not possible to work this way.

How can I use a CAPTURE FILTER for that "text" which ONLY captures the necessary stuff? Otherwise Wireshark dies during capturing because of so many captured data, which I don't need!

It's also not possible to use another kind of Capture Filter, because length, port and IP is always diff. The only constant thing is, that it's UDP protocol.

Some ideas?

edit retag flag offensive close merge delete

Comments

Is the "text" always in the same position (offset from start) in the frame?
There is a tool for string matching in TCP.
It is a starting point - the output will need to be massaged into an appropriate format for UDP.

Chuckc gravatar imageChuckc ( 2020-07-17 00:37:00 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-07-17 07:52:20 +0000

grahamb gravatar image

You might want to rethink your capture and filtering approach.

If you use dumpcap to capture, especially with multiple files of a specific size to limit the subsequent search, you can then post process those files with tshark to search for your string and output the results elsewhere as you require.

Using dumpcap in this way also ensures the capture process won't run out of memory, as Wireshark will.

edit flag offensive delete link more
0

answered 2020-07-17 00:35:25 +0000

Guy Harris gravatar image

Frame contains "text"

That would require looping over the contents of the frame. Looping is NOT supported by capture filters, as they may be run in the OS kernel, and the developers of BPF didn't want to allow user-mode code to force the kernel to loop.

If the text is at a fixed offset in the frame, that can be done with a capture filter, although the filters are (currently) somewhat complicated to construct.

edit flag offensive delete link more

Comments

It seems to be fixed, yes.

Wireshark is so powerful, but it's really sad you have to capture all those stuff you don't need.

So it took ages to filter just a handful of results.

The Display Filter is used per default, so I see only the results on screen. Is there at least a way that if I just want to change the sequence for example of IPs or time and so on.... That this is only used with the results from Display Filter?

Per default it's used for the whole capture file and just arrangement (sorting) by capture time takes very long... For maybe 100 results . :/

appreciated gravatar imageappreciated ( 2020-07-17 02:09:58 +0000 )edit

Once you have a filtered view, you can export these displayed (maybe 100) packets to a new capture file. Working with that subset is much easier.

Jaap gravatar imageJaap ( 2020-07-17 05:49:06 +0000 )edit

It seems to be fixed, yes.

So where does that text appear within the frame? Is it at a fixed offset from the UDP header, for example?

Guy Harris gravatar imageGuy Harris ( 2020-07-17 07:36:12 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-07-16 23:28:44 +0000

Seen: 3,251 times

Last updated: Jul 17 '20