Ask Your Question
0

Can display filters have wildcards for field name?

asked 2021-12-29 00:36:55 +0000

rickhg12hs gravatar image

updated 2021-12-29 13:39:20 +0000

I'd like to filter all the packets with a wildcard for the field name, for example, something like *addr* would filter all packets such that any packet that had addr in a field name would be displayed. Field names that might be included: ip.addr, ipv6.addr, eth.addr, etc. addr is just an example, I'd like to use other field name wildcard filters too. Other example desired field name filters might be *time*, *crypt*, *antenna*, *spatial*, or *connection*.

N.B.: This question is about how to get Wireshark to filter on a field name that has wildcards. This question is not about any specific communications prorocol.

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
2

answered 2021-12-29 15:49:10 +0000

Chuckc gravatar image

updated 2021-12-29 15:51:38 +0000

Maybe a pre-processing step with tshark then store them as Display Filter Macros.
You could also open an Enhancement Request on the Wireshark Gitlab Issues page.

p$ TARGET="crypt"
p$ tshark -r ./rsa_decrypt.pcapng -T pdml | grep "field name" | cut -f 2 -d '"' | grep $TARGET | sort | uniq | awk '{print'} ORS=' or '
x509af.encrypted or p$

p$ TARGET="connection"
p$ tshark -r ./rsa_decrypt.pcapng -T pdml | grep "field name" | cut -f 2 -d '"' | grep $TARGET | sort | uniq | awk '{print'} ORS=' or '
tcp.connection.syn or tcp.connection.synack or p$

image description image description

edit flag offensive delete link more

Comments

I would upvote if I had enough points. Yes this is possible but I was hoping to reduce the number of steps. In the general case, many display filters match, e.g. "connection". Going to View->Internals->Supported Protocols and search for "connection" shows an approximation of how many possible filters there might be. The search feature there seems to also search the description, etc., so not all matches are just for the field name. I like your basic idea, I just wish Wireshark would do this work... dissect packet, if any field name matches wildcard display filter then display packet, otherwise do not display the packet. I will consider the Enhancement Request - thank you for suggesting it.

rickhg12hs gravatar imagerickhg12hs ( 2021-12-29 17:17:05 +0000 )edit
~$ tshark -G fields | cut -f 3 -d '     ' | grep crypt | wc
    605     605   18508
~$ tshark -G fields | cut -f 3 -d '     ' | grep connection | wc
    372     372   13795

If you have a set of standard words, you could do the work up front and include all possible fields but I'm not sure what the performance would be.

Chuckc gravatar imageChuckc ( 2021-12-29 17:39:13 +0000 )edit
add a comment
0

answered 2021-12-29 08:17:44 +0000

BigFatCat gravatar image

Wireshark doesn't have an address wildcard display filter. If there was an addr display filter, it would be true for every frame because routing requires an address. The user can use the.addr extension to filter for specific protocol address information. As to your example with the field names that might be included: ip.addr, ipv6.addr, eth.addr, and etc. Almost everything would be covered with the "ip or ipv6 or eth" filter. The statement "almost everything" is because I haven't worked on a packet capture that this wasn't true.

If you haven't already, check out the Wireshark-filter and Wireshark display filter reference webpages. The Wireshark-filter shows how to create Wireshark filters and the Wireshark display reference shows information about all the different Wireshark fields and protocols.

edit flag offensive delete link more

Comments

I forgot to mention that my filter might not work on legacy protocols. It is dependent on the protocol stack. Wireshark might have problems analyzing the file, so it will need to be analyzed manually.

BigFatCat gravatar imageBigFatCat ( 2021-12-29 11:05:06 +0000 )edit

I guess I did not emphasize enough that this isn't about addr but about any filter for field names. If you need another example, how about *crypt*, or *time*. I hope you get the idea now.

rickhg12hs gravatar imagerickhg12hs ( 2021-12-29 13:18:33 +0000 )edit

As a counter-example to your ideas about addr everywhere, a Cisco NetFlow/IPFIX capture need not have addr for every packet.

rickhg12hs gravatar imagerickhg12hs ( 2021-12-29 13:23:44 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-12-29 00:36:55 +0000

Seen: 3,591 times

Last updated: Dec 29 '21

Related questions

arp arp.src.proto_ipv4 wildcard search?

Unable to display IEEE1722-1 packet in Wireshark 3.0.3

Call analysis capabilities

Display filter not showing HTTP packets

Beginner: Display Filter to Detect Ping

Analyze filter smb2.cmd == 9 && smb2.filename contains "fname" shows no results

How to display the interface name on trace

Wireshark Conversation Filter

what is the http.request_in display filter meaning?

How to display slice as a filter in column?