compound filter

Filtering

asked 2021-04-12 09:55:59 +0000

I need to create a filter to see a particular event that occurs but I am finding it difficult since there are two packets that are always generated...

a frame.len==97 and TLSv1.2 is generated every second twice but it is also generated immediately after a frame.len==118 and TLSv1.2 is generated. I am interested to capture the combination of frame.len==118 and the frame.len==97 that immediately follows and ignore the rest of the frame.len==97 packets that either fall before frame.len==118 packet or otherwise.

Whenever a 118 packet is generated, a 97 follows it immediately within 0.02s.

Can anyone help with this particular filter?

edit retag flag offensive close merge delete

Comments

Do these two frames appear in the same TCP connection? If so, does a filter like frame.len == 97 && tcp.time_delta < 0.02 help out?

If not, a MATE or Lua script might help out, as with MATE and Lua, you are able to keep state and therefor create a filter for packet sequences.

SYN-bit ( 2021-04-12 15:11:35 +0000 )edit

Thanks, I'll try this and get back and let you know if the frames are in the same TCP connection!

noobie1090904 ( 2021-04-13 07:32:48 +0000 )edit

Are you trying to find delta time greater or less than .02. The filter will display packet that matches tcp delta time, but you will to manually verify if the previous frame was 97 or 112 bytes. Maybe a more specific filter to try to narrow down the output to a couple frames then manually checking the previous frame will be easy.

BigFatCat ( 2021-04-15 02:26:49 +0000 )edit

If you have the time, this would be a great exercise to learn Lua plugins for Wireshark.
There are some examples here: Statistic Taps or Post-Dissectors

Or pick your favorite hammer (shell script, spreadsheet, COBOL?), extract the data to a flat file with tshark, process it for frame numbers you care about and at the end output a filter like:

frame.number in {41 42 56 57}

This decouples the packet search from the analysis and allows to use the best tool for each.

Chuckc ( 2021-04-15 03:09:33 +0000 )edit

add a comment

answered 2021-04-12 10:30:02 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

Display filters only operate on the information in a single frame, to decide whether that frame should be displayed or not, as such they can't create "associations" between frames.

Some protocols include references to other frames in their data, e.g. "this is a response to request in frame xxx" that can be used in display filters, but I don't think that's relevant for your case.

Maybe you could try a filter that selects frames by the bigger length length or the short length and the time delta to the previously displayed packet, e.g.

(frame.len == 118) || ((frame.len == 97) && (frame.time_delta_displayed < 0.02))

Depending on the timings, this might still display frames with length 97 that aren't related to the 118 frame but do occur less than 0.02s after another length 97 frame.

Comments

Thanks grahamb, I'll try this and let you know how it works out!

noobie1090904 ( 2021-04-13 07:33:27 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

compound filter

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

compound filter edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

compound filter