Capture Filter for FRAMES

asked 2020-07-16 23:28:44 +0000

appreciated
1 ●1 ●2 ●2

updated 2020-07-16 23:29:56 +0000

Hello,

I need to capture a frame lets call it "text".

For now I use a Display Filter this way: Frame contains "text"

It works fine, BUT because it's just display filter Wireshark captures a lot in background. (Server 24/7)

So the problem is, filtering the results after a few hours take ages. It's not possible to work this way.

How can I use a CAPTURE FILTER for that "text" which ONLY captures the necessary stuff? Otherwise Wireshark dies during capturing because of so many captured data, which I don't need!

It's also not possible to use another kind of Capture Filter, because length, port and IP is always diff. The only constant thing is, that it's UDP protocol.

Some ideas?

edit retag flag offensive close merge delete

Comments

Is the "text" always in the same position (offset from start) in the frame?
There is a tool for string matching in TCP.
It is a starting point - the output will need to be massaged into an appropriate format for UDP.

Chuckc ( 2020-07-17 00:37:00 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2020-07-17 07:52:20 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23835 ●4 ●973 ●227 https://www.wireshark.org

You might want to rethink your capture and filtering approach.

If you use dumpcap to capture, especially with multiple files of a specific size to limit the subsequent search, you can then post process those files with tshark to search for your string and output the results elsewhere as you require.

Using dumpcap in this way also ensures the capture process won't run out of memory, as Wireshark will.

edit flag offensive delete link

add a comment

answered 2020-07-17 00:35:25 +0000

Guy Harris
19890 ●3 ●659 ●207

Frame contains "text"

That would require looping over the contents of the frame. Looping is NOT supported by capture filters, as they may be run in the OS kernel, and the developers of BPF didn't want to allow user-mode code to force the kernel to loop.

If the text is at a fixed offset in the frame, that can be done with a capture filter, although the filters are (currently) somewhat complicated to construct.

edit flag offensive delete link

Comments

It seems to be fixed, yes.

Wireshark is so powerful, but it's really sad you have to capture all those stuff you don't need.

So it took ages to filter just a handful of results.

The Display Filter is used per default, so I see only the results on screen. Is there at least a way that if I just want to change the sequence for example of IPs or time and so on.... That this is only used with the results from Display Filter?

Per default it's used for the whole capture file and just arrangement (sorting) by capture time takes very long... For maybe 100 results . :/

appreciated ( 2020-07-17 02:09:58 +0000 )edit

Once you have a filtered view, you can export these displayed (maybe 100) packets to a new capture file. Working with that subset is much easier.

Jaap ( 2020-07-17 05:49:06 +0000 )edit

It seems to be fixed, yes.

So where does that text appear within the frame? Is it at a fixed offset from the UDP header, for example?

Guy Harris ( 2020-07-17 07:36:12 +0000 )edit

add a comment