Ask Your Question
0

Capture filter help needed

asked 2021-10-14 14:10:22 +0000

kamkce1 gravatar image

updated 2021-10-14 14:20:00 +0000

grahamb gravatar image

I am trying to figure out how to reduce the amount of packets I capture on incoming dicom requests. I came across this HTTP Get capture filter and am trying to modify it to capture certain dicom packets only. I was hoping someone might be able to help me get the syntax right.

This filter looks for the bytes 'G', 'E', 'T', and (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list.

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

In need to figure out how to do this exact same thing for the “Called AE Title” line but to capture the letters “Fuji”. Since it is not immediately after the TCP header and there are several other bytes in between, I cannot figure out the offsets. The Letter F starts exactly 11 bytes after the last byte in the TCP header.

Bytes 'F', ‘u', 'j', ‘i’, are (hex values 46, 75, 6a, and 69)

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
1

answered 2021-10-14 14:41:23 +0000

Chuckc gravatar image

Have you looked at the String-Matching Capture Filter Generator on the Wireshark Online Tools page?

Filter for Fuji, offset 11:
tcp[((tcp[12:1] & 0xf0) >> 2) + 11:4] = 0x46756a69

edit flag offensive delete link more

Comments

When creating new capture filters, it can be useful/instructive to generate the resulting BPF too in order to verify that the capture filter is going to do exactly what you want it to do, or to simply learn what goes on "under the hood". For example, in this case, we end up with the following instructions:

dumpcap -d -f "tcp[((tcp[12:1] & 0xf0) >> 2) + 11:4] = 0x46756a69"

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 16
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 16
(004) ldh      [20]
(005) jset     #0x1fff          jt 16   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 26]
(008) and      #0xf0
(009) rsh      #2
(010) add      #11
(011) add      x
(012) tax
(013) ld       [x + 14]
(014) jeq      #0x46756a69      jt 15   jf 16
(015) ret      #262144
(016) ret      #0
cmaynard gravatar imagecmaynard ( 2021-10-14 15:10:16 +0000 )edit

@cmaynard, Isn't that a bit of a programmers view? If someone is struggling to understand the concepts of slicing in the display filter language will they be able to understand (uncommented) BPF?

grahamb gravatar imagegrahamb ( 2021-10-14 15:27:40 +0000 )edit

Thank you Chuck! That was exactly what I needed and really helpful! I've been trying to figure this out for days so you saved me much needed time.

I miscounted and the offset is actually 10 so this is the filter I am using that works great:

tcp[((tcp[12:1] & 0xf0) >> 2) + 10:4] = 0x46756a69

For anybody who supports a PACS system and is stumbling across this in the future, this capture filter is extremely helpful to capture all the Calling AE titles storing to your PACS system to a specific Called AE title. Use a display filter of dicom.pdu.type == 0x01 to filter out everything except the Association requests.

In my example, the called AE title begins with 'Fuji' and the hex code is 46 75 6a 69.

So you need to use a text to Hex converter and change the '46756a69' to the ...(more)

kamkce1 gravatar imagekamkce1 ( 2021-10-14 15:46:57 +0000 )edit

It's more information that's available for those who may not be aware of it. Personally, I don't find it all that difficult to read, but I am viewing it from a programmer's perspective and I've looked at enough BPF to generally be fairly comfortable with it. I don't think it's a particularly large leap to go from a capture filter syntax to BPF instructions, and I still encourage users to look at it because you should understand what the tools are doing for you, or at least try to.

For example, the filter as provided only works for TCP/IPv4, but if you also want TCP/IPv6, then you need to modify your capture filter; changing the filter to "port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2) + 11:4] = 0x46756a69)" will do just that. On the other hand, if you ...(more)

cmaynard gravatar imagecmaynard ( 2021-10-14 15:47:05 +0000 )edit

Actually, I take that back. Using port 80 and ... still won't work for TCP/IPv6; it's just that IPv6 packets are explicitly rejected in this case. So if TCP/IPv6 is desired, then further tweaks to the capture filter are needed.

cmaynard gravatar imagecmaynard ( 2021-10-14 15:54:35 +0000 )edit

The other thing I would like to understand is how to search for 6, 8, 10, 12 letters instead of only the first 4.

When I use: tcp[((tcp[12:1] & 0xf0) >> 2) + 10:4] = 0x46756a69 It works just fine. But that is only searching the first 4 letters.

But when I need to search for more text, I can't seem to get that right. I think i am misunderstanding what the 2 in the parenthesis is doing.

Can someone please help me understand how I can search in the same spot for longer text strings than just the first 4 letters?

For example, 10 letters with a 24 byte hex code of 0x46756a6953746f72314d574c.

Thanks

kamkce1 gravatar imagekamkce1 ( 2021-10-14 16:23:52 +0000 )edit

It's easier to use the String-Matching Capture Filter Generator (WSCFG) with text input.
Taking your hex string (0x46756a6953746f72314d574c) and running it through CyberChef returns FujiStor1MWL.

That string with an offset 10 gives this filter in the WSCFG:
tcp[((tcp[12:1] & 0xf0) >> 2) + 10:4] = 0x46756a69 && tcp[((tcp[12:1] & 0xf0) >> 2) + 14:4] = 0x53746f72 && tcp[((tcp[12:1] & 0xf0) >> 2) + 18:4] = 0x314d574c

From the pcap-filter man page:

To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.) Note that tcp, udp ...
(more)
Chuckc gravatar imageChuckc ( 2021-10-14 16:47:35 +0000 )edit

I don't think it's a particularly large leap to go from a capture filter syntax to BPF instructions,

$ wc -l gencode.c optimize.c scanner.l grammar.y
   10062 gencode.c
    3100 optimize.c
     599 scanner.l
     850 grammar.y
   14611 total
Guy Harris gravatar imageGuy Harris ( 2021-10-14 23:09:27 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-10-14 14:10:22 +0000

Seen: 408 times

Last updated: Oct 14 '21

Related questions

I want to capture concurrently and save it as multiple files where each file has its own distinct capture filter?

EAPOL capture filter not showing anything

cannot find "Compare two capture files"

Is it possible to test a capture filter with already captured traffic?

aix iptrace capture filters

How would I map this display filter to a capture filter?

Can't capture TLS certificate

Can I create a capture filter on a pcap file

Wireshark capture with ET2000

Resolve frame subtype and export to csv

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2