capture filter to filter sctp heartbeat,heartbeat ack and DWR,DWA

asked 2022-02-02 19:47:45 +0000

janardhan
1 ●1 ●1 ●1

updated 2022-02-03 08:45:07 +0000

flag of United Kingdom of Great Britain and Northern Ireland

23835 ●4 ●973 ●227 https://www.wireshark.org

We have setup a wireshark monitoring server in our lab. We have used capture filter to filter traffic from specific ports. However there is a lot of SCTP heartbeat exchange and Device watch dog requests/responses between the nodes and this is causing overload on the server and the wireshark application is slowing down.

Is it possible to use capture filter on SCTP level to filter out SCTP heartbeat chunks and DWR/DWA? Is this supported yet by the wireshark application? I tried below command for which an answer on this website was provided on 07th Aug 2014. But i got a syntax error.Can you please provide me with correct syntax ?

sudo tcpdump -i eth1 sctp ip[x:1]=04 and ip[x:1]=05

edit retag flag offensive close merge delete

add a comment

answered 2022-02-02 23:26:26 +0000

Chuckc
3023 ●6 ●608 ●20

updated 2022-02-03 08:51:00 +0000

grahamb

23835 ●4 ●973 ●227 https://www.wireshark.org

SCTP is one of the protocols that a capture filter (pcap-filter) understands.

To access data inside the packet, use the following syntax:
proto [ expr : size ]

The RFC (rfc2960) shows there are 12 bytes before the chunk type which is the 13th byte or byte number 12:

                         SCTP Packet format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                        Common Header                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Chunk #1                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           ...                                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Chunk #n                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                         SCTP Common Header Format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Source Port Number        |     Destination Port Number   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Verification Tag                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Checksum                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                         Chunk Fields

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Chunk Type  | Chunk  Flags  |        Chunk Length           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      \                                                               \
      /                          Chunk Value                          /
      \                                                               \
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

where

   ID Value    Chunk Type
   -----       ----------
   0          - Payload Data (DATA)
   1          - Initiation (INIT)
   2          - Initiation Acknowledgement (INIT ACK)
   3          - Selective Acknowledgement (SACK)
   4          - Heartbeat Request (HEARTBEAT)
   5          - Heartbeat Acknowledgement (HEARTBEAT ACK)
   6          - Abort (ABORT)
   7          - Shutdown (SHUTDOWN)
   8          - Shutdown Acknowledgement (SHUTDOWN ACK)
   9          - Operation Error (ERROR)
   10         - State Cookie (COOKIE ECHO)
   11         - Cookie Acknowledgement (COOKIE ACK)
   12         - Reserved for Explicit Congestion Notification Echo (ECNE)
   13         - Reserved for Congestion Window Reduced (CWR)
   14         - Shutdown Complete (SHUTDOWN COMPLETE)
   15 to 62   - reserved by IETF
   63         - IETF-defined Chunk Extensions
   64 to 126  - reserved by IETF
   127        - IETF-defined Chunk Extensions
   128 to 190 - reserved by IETF
   191        - IETF-defined Chunk Extensions
   192 to 254 - reserved by IETF
   255        - IETF-defined Chunk Extensions

Heartbeat is Type = 4 and HEARTBEAT ACK is Type = 5

A capture filter to drop SCTP type 4 and 5:

sctp[12:1] != 4 and sctp[12:1] != 5

pcap-filter does not break out the diameter protocol so gets more complicated to exclude DWR/DWA.

(The previous Ask question that was mentioned: Capture filter to filter SCTP heartbeak chunks)

edit flag offensive delete link

add a comment

capture filter to filter sctp heartbeat,heartbeat ack and DWR,DWA

1 Answer

Your Answer

Question Tools

Stats

capture filter to filter sctp heartbeat,heartbeat ack and DWR,DWA edit

1 Answer

Your Answer

Question Tools

Stats

capture filter to filter sctp heartbeat,heartbeat ack and DWR,DWA