compound filter
I need to create a filter to see a particular event that occurs but I am finding it difficult since there are two packets that are always generated...
a frame.len==97 and TLSv1.2 is generated every second twice but it is also generated immediately after a frame.len==118 and TLSv1.2 is generated. I am interested to capture the combination of frame.len==118 and the frame.len==97 that immediately follows and ignore the rest of the frame.len==97 packets that either fall before frame.len==118 packet or otherwise.
Whenever a 118 packet is generated, a 97 follows it immediately within 0.02s.
Can anyone help with this particular filter?
Do these two frames appear in the same TCP connection? If so, does a filter like
frame.len == 97 && tcp.time_delta < 0.02help out?If not, a MATE or Lua script might help out, as with MATE and Lua, you are able to keep state and therefor create a filter for packet sequences.
Thanks, I'll try this and get back and let you know if the frames are in the same TCP connection!
Are you trying to find delta time greater or less than .02. The filter will display packet that matches tcp delta time, but you will to manually verify if the previous frame was 97 or 112 bytes. Maybe a more specific filter to try to narrow down the output to a couple frames then manually checking the previous frame will be easy.
If you have the time, this would be a great exercise to learn Lua plugins for Wireshark.
There are some examples here: Statistic Taps or Post-Dissectors
Or pick your favorite hammer (shell script, spreadsheet, COBOL?), extract the data to a flat file with
tshark, process it for frame numbers you care about and at the end output a filter like:frame.number in {41 42 56 57}This decouples the packet search from the analysis and allows to use the best tool for each.