Ask Your Question
0

Capture filter help needed

asked 2021-10-14 14:10:22 +0000

kamkce1 gravatar image

updated 2021-10-14 14:20:00 +0000

grahamb gravatar image

I am trying to figure out how to reduce the amount of packets I capture on incoming dicom requests. I came across this HTTP Get capture filter and am trying to modify it to capture certain dicom packets only. I was hoping someone might be able to help me get the syntax right.

This filter looks for the bytes 'G', 'E', 'T', and (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list.

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

In need to figure out how to do this exact same thing for the “Called AE Title” line but to capture the letters “Fuji”. Since it is not immediately after the TCP header and there are several other bytes in between, I cannot figure out the offsets. The Letter F starts exactly 11 bytes after the last byte in the TCP header.

Bytes 'F', ‘u', 'j', ‘i’, are (hex values 46, 75, 6a, and 69)

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
1

answered 2021-10-14 14:41:23 +0000

Chuckc gravatar image

Have you looked at the String-Matching Capture Filter Generator on the Wireshark Online Tools page?

Filter for Fuji, offset 11:
tcp[((tcp[12:1] & 0xf0) >> 2) + 11:4] = 0x46756a69

edit flag offensive delete link more

Comments

When creating new capture filters, it can be useful/instructive to generate the resulting BPF too in order to verify that the capture filter is going to do exactly what you want it to do, or to simply learn what goes on "under the hood". For example, in this case, we end up with the following instructions:

dumpcap -d -f "tcp[((tcp[12:1] & 0xf0) >> 2) + 11:4] = 0x46756a69"

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 16
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 16
(004) ldh      [20]
(005) jset     #0x1fff          jt 16   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 26]
(008) and      #0xf0
(009) rsh      #2
(010) add      #11
(011) add      x
(012) tax
(013) ld       [x + 14]
(014) jeq      #0x46756a69      jt 15   jf 16
(015) ret      #262144
(016) ret      #0
cmaynard gravatar imagecmaynard ( 2021-10-14 15:10:16 +0000 )edit

@cmaynard, Isn't that a bit of a programmers view? If someone is struggling to understand the concepts of slicing in the display filter language will they be able to understand (uncommented) BPF?

grahamb gravatar imagegrahamb ( 2021-10-14 15:27:40 +0000 )edit

Thank you Chuck! That was exactly what I needed and really helpful! I've been trying to figure this out for days so you saved me much needed time.

I miscounted and the offset is actually 10 so this is the filter I am using that works great:

tcp[((tcp[12:1] & 0xf0) >> 2) + 10:4] = 0x46756a69

For anybody who supports a PACS system and is stumbling across this in the future, this capture filter is extremely helpful to capture all the Calling AE titles storing to your PACS system to a specific Called AE title. Use a display filter of dicom.pdu.type == 0x01 to filter out everything except the Association requests.

In my example, the called AE title begins with 'Fuji' and the hex code is 46 75 6a 69.

So you need to use a text to Hex converter and change the '46756a69' to the ...(more)

kamkce1 gravatar imagekamkce1 ( 2021-10-14 15:46:57 +0000 )edit

It's more information that's available for those who may not be aware of it. Personally, I don't find it all that difficult to read, but I am viewing it from a programmer's perspective and I've looked at enough BPF to generally be fairly comfortable with it. I don't think it's a particularly large leap to go from a capture filter syntax to BPF instructions, and I still encourage users to look at it because you should understand what the tools are doing for you, or at least try to.

For example, the filter as provided only works for TCP/IPv4, but if you also want TCP/IPv6, then you need to modify your capture filter; changing the filter to "port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2) + 11:4] = 0x46756a69)" will do just that. On the other hand, if you ...(more)

cmaynard gravatar imagecmaynard ( 2021-10-14 15:47:05 +0000 )edit

Actually, I take that back. Using port 80 and ... still won't work for TCP/IPv6; it's just that IPv6 packets are explicitly rejected in this case. So if TCP/IPv6 is desired, then further tweaks to the capture filter are needed.

cmaynard gravatar imagecmaynard ( 2021-10-14 15:54:35 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-10-14 14:10:22 +0000

Seen: 410 times

Last updated: Oct 14 '21

Related questions

I want to capture concurrently and save it as multiple files where each file has its own distinct capture filter?

EAPOL capture filter not showing anything

cannot find "Compare two capture files"

Is it possible to test a capture filter with already captured traffic?

aix iptrace capture filters

How would I map this display filter to a capture filter?

Can't capture TLS certificate

Can I create a capture filter on a pcap file

Wireshark capture with ET2000

Resolve frame subtype and export to csv

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2