Ask Your Question
0

capture filter to filter sctp heartbeat,heartbeat ack and DWR,DWA

asked 2022-02-02 19:47:45 +0000

updated 2022-02-03 08:45:07 +0000

grahamb gravatar image

We have setup a wireshark monitoring server in our lab. We have used capture filter to filter traffic from specific ports. However there is a lot of SCTP heartbeat exchange and Device watch dog requests/responses between the nodes and this is causing overload on the server and the wireshark application is slowing down.

Is it possible to use capture filter on SCTP level to filter out SCTP heartbeat chunks and DWR/DWA? Is this supported yet by the wireshark application? I tried below command for which an answer on this website was provided on 07th Aug 2014. But i got a syntax error.Can you please provide me with correct syntax ?

sudo tcpdump -i eth1 sctp ip[x:1]=04 and ip[x:1]=05

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-02-02 23:26:26 +0000

Chuckc gravatar image

updated 2022-02-03 08:51:00 +0000

grahamb gravatar image

SCTP is one of the protocols that a capture filter (pcap-filter) understands.

To access data inside the packet, use the following syntax:
proto [ expr : size ]


The RFC (rfc2960) shows there are 12 bytes before the chunk type which is the 13th byte or byte number 12:

                         SCTP Packet format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                        Common Header                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Chunk #1                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           ...                                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Chunk #n                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                         SCTP Common Header Format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Source Port Number        |     Destination Port Number   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Verification Tag                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Checksum                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                         Chunk Fields

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Chunk Type  | Chunk  Flags  |        Chunk Length           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      \                                                               \
      /                          Chunk Value                          /
      \                                                               \
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

where

   ID Value    Chunk Type
   -----       ----------
   0          - Payload Data (DATA)
   1          - Initiation (INIT)
   2          - Initiation Acknowledgement (INIT ACK)
   3          - Selective Acknowledgement (SACK)
   4          - Heartbeat Request (HEARTBEAT)
   5          - Heartbeat Acknowledgement (HEARTBEAT ACK)
   6          - Abort (ABORT)
   7          - Shutdown (SHUTDOWN)
   8          - Shutdown Acknowledgement (SHUTDOWN ACK)
   9          - Operation Error (ERROR)
   10         - State Cookie (COOKIE ECHO)
   11         - Cookie Acknowledgement (COOKIE ACK)
   12         - Reserved for Explicit Congestion Notification Echo (ECNE)
   13         - Reserved for Congestion Window Reduced (CWR)
   14         - Shutdown Complete (SHUTDOWN COMPLETE)
   15 to 62   - reserved by IETF
   63         - IETF-defined Chunk Extensions
   64 to 126  - reserved by IETF
   127        - IETF-defined Chunk Extensions
   128 to 190 - reserved by IETF
   191        - IETF-defined Chunk Extensions
   192 to 254 - reserved by IETF
   255        - IETF-defined Chunk Extensions

Heartbeat is Type = 4 and HEARTBEAT ACK is Type = 5

A capture filter to drop SCTP type 4 and 5:

sctp[12:1] != 4 and sctp[12:1] != 5

pcap-filter does not break out the diameter protocol so gets more complicated to exclude DWR/DWA.

(The previous Ask question that was mentioned: Capture filter to filter SCTP heartbeak chunks)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-02-02 19:47:14 +0000

Seen: 133 times

Last updated: Feb 03