Ask Your Question
0

How do I find two consecutive frames from the same IP source address

asked 2021-04-01 09:35:26 +0000

Roche gravatar image

I have a capture file where two source addresses normally alternate so frame.number will increment and the ip.src will alternate between the two addresses. In a fault condition, one source address will not transmit for a few packets. In that case the frame.number increments but ip.src remains the same. How do I create a display filter to show the fault condition?

edit retag flag offensive close merge delete
add a comment

3 Answers

Sort by ยป oldest newest most voted
0

answered 2021-04-02 23:46:25 +0000

SYN-bit gravatar image

If:

  • the packets from IP1 belong to the same UDP or TCP stream and
  • the packets from IP2 belong to the same UDP or TCP stream and
  • the packets are sent at regular intervals (like 20ms for RTP for instance)

Then you can filter on the stream delta times:

udp.time_delta > 0.025 or tcp.time_delta > 0.025

Another way would be to filter or search on the frame.number itself being odd or even in combination with the IP addresses, but then you need to know the starting conditions. If IP1 is on the odd frame.numbers and IP2 is on the even frame.numbers, then the following filter will spot packets that do not follow the pattern:

(ip.addr==<IP1>and not frame.number&1) or (ip.addr==<IP2> and frame.number&1)

edit flag offensive delete link more

Comments

Need more coffee. Took a bit for that to click. :-)
Display Filter comparison operators
bitwise_and & Bitwise AND is non-zero tcp.flags & 0x02

Chuckc gravatar imageChuckc ( 2021-04-02 23:58:37 +0000 )edit

The frame number comparison will fail if there is traffic in the capture other than that being tested.

grahamb gravatar imagegrahamb ( 2021-04-03 10:20:54 +0000 )edit

@grahamb True, it will fail if there is other traffic, but I took the original question literally:

I have a capture file where two source addresses normally alternate so frame.number will increment and the ip.src will alternate between the two addresses.

SYN-bit gravatar imageSYN-bit ( 2021-04-04 15:37:31 +0000 )edit
add a comment
0

answered 2021-04-02 11:58:49 +0000

hugo.vanderkooij gravatar image

Follow TCP stream or follow UDP stream would be my first step.

edit flag offensive delete link more
add a comment
1

answered 2021-04-01 09:52:05 +0000

grahamb gravatar image

updated 2021-04-01 10:10:47 +0000

You can't. Display filters operate in each packet in turn deciding whether it should be displayed or not based on the content of that packet, you can't reference any other packet.

You could use tshark to output the data and then use a post-processing script to check for the violations. A suitable invocation of tshark to just output the frame number and source ip address in csv form would be:

tshark -r <capture file> -T fields E "separator=," -e frame.number -e ip.src <optional display filter>

the <optional display filter> is if you need to add one to restrict the output to your protocol. On Windows you will need to provide the full path to tshark (usually C:\Program Files\Wireshark\tshark) as it's not on the path.

edit flag offensive delete link more

Comments

Thanks Graham, I really appreciate the answer and the quick response, Regards, Roche

Roche gravatar imageRoche ( 2021-04-01 10:04:20 +0000 )edit

If it's a one off, tshark with a script or into a spreadsheet is probably quickest.

If something to be done on a regular basis (and ok with Lua), look at ip_src_alternate.lua in the Contrib section of the Wireshark Wiki

Chuckc gravatar imageChuckc ( 2021-04-01 17:18:04 +0000 )edit

Sometimes you can solve this kind of problem if the higher level protocol dissectors have a "request in/answer in" field, and filter on all request packets which have no "answer in" field (e.g. ICMP echo request packets).

Jasper gravatar imageJasper ( 2021-04-02 13:34:03 +0000 )edit

You may be able to visually spot the condition by plotting it using Statistics -> I/O Graphs. Add 2 graph entries:

  • IP Source 1, ip.src eq x.x.x.x, Y Axis = Packets
  • IP Source 2, ip.src eq y.y.y.y, Y Axis = Packets

In the normal case, you should see alternating spikes; in the fault condition, they won't alternate. You may need to adjust the Colors, Styles and Interval setting to better see the 2 distinct plots, depending on your needs.

cmaynard gravatar imagecmaynard ( 2021-04-02 14:07:02 +0000 )edit

Another idea where you might be able to spot the fault condition visually would be to apply a new coloring rule (View -> Coloring Rules) for packets matching IP Source 1 and a different coloring rule for packets matching IP Source 2.

cmaynard gravatar imagecmaynard ( 2021-04-02 14:19:41 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-04-01 09:35:26 +0000

Seen: 1,126 times

Last updated: Apr 02 '21

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2