Ask Your Question
0

This display filter doesn't work: "!(ssdp.nt matches "uuid:.*") && ssdp.type == NOTIFY"

asked 2023-01-14 04:50:02 +0000

ThumbOne gravatar image

updated 2023-01-16 07:04:26 +0000

When I enter it into the Display Filter box the box goes red. I'm wondering why, and if I can diagnose it better. I'm by no means a Wireshark pro and I got this little gem for ChatGPT I admit ;-) FYI this is what ChatGPT wrote:

To filter for NOTIFY packets that lack a UUID in Wireshark, you can use the filter "!(ssdp.nt matches "uuid:.*")" and "ssdp.type == NOTIFY" together.

This filter uses the "!" negation operator to match all NOTIFY packets that do not have a UUID in the NT field of the SSDP packet. The "matches" operator is used in this case because the filter is looking for the occurrence of a specific regular expression pattern.

I'm using Version 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Here is decoded sample packet:

Frame 221: 396 bytes on wire (3168 bits), 396 bytes captured (3168 bits) on interface eno1, id 0
    Interface id: 0 (eno1)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jan 16, 2023 17:48:52.404348204 AEDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1673851732.404348204 seconds
    [Time delta from previous captured frame: 0.007056959 seconds]
    [Time delta from previous displayed frame: 22.014788472 seconds]
    [Time since reference or first frame: 320.530069532 seconds]
    Frame Number: 221
    Frame Length: 396 bytes (3168 bits)
    Capture Length: 396 bytes (3168 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:ssdp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: ICPElect_d9:b9:5a (00:08:9b:d9:b9:5a), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
    Destination: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
    Source: ICPElect_d9:b9:5a (00:08:9b:d9:b9:5a)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: Nessie (192.168.0.13), Dst: 239.255.255.250 (239.255.255.250)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 382
    Identification: 0x0000 (0)
    Flags: 0x40, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 1
    Protocol: UDP (17)
    Header Checksum: 0xc7bf [validation disabled]
    [Header checksum status: Unverified]
    Source Address: Nessie (192.168.0.13)
    Destination Address: 239.255.255.250 (239.255.255.250)
User Datagram Protocol, Src Port: 46794, Dst Port: 1900
    Source Port: 46794
    Destination Port: 1900
    Length: 362
    Checksum: 0xa037 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 7]
    [Timestamps]
    UDP payload (354 bytes)
Simple Service Discovery Protocol
    NOTIFY * HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): NOTIFY * HTTP/1.1\r\n]
        Request Method: NOTIFY
        Request URI: *
        Request Version: HTTP/1.1
    HOST:239.255.255.250:1900\r\n
    CACHE-CONTROL:max-age=1810\r\n
    LOCATION:http://192.168.0.13:8200/rootDesc.xml\r\n
    SERVER: 3.4.6-generic Microsoft-Windows/6.1 Windows-Media-Player-DMS/12.0.7601.17514 DLNADOC/1.50 UPnP/1.0 QNAPDLNA/1.0\r\n
    NT:uuid:4d696e69-444c-164e-9d41-00089bd9b95a\r ...
(more)
edit retag flag offensive close merge delete

Comments

Can you provide a sample capture with an example of these packets?

Chuckc gravatar imageChuckc ( 2023-01-16 00:28:03 +0000 )edit

Can do, but isn't the packet content peripheral to the question I have, of valid display filter syntax? For example the display filter "ssdp" is in green background in the display filter field, and shows me all the SSDP packets, I imagine. Yet the display filter "ssdp.type == NOTIFY" sits in a field of red background suddenly and shows me still, all the packets.

ThumbOne gravatar imageThumbOne ( 2023-01-16 06:52:05 +0000 )edit

udp contains "NOTIFY" works though, green and filters so that only packets with NOTIFY are shown.

ThumbOne gravatar imageThumbOne ( 2023-01-16 06:56:15 +0000 )edit

Done, added a sample packet.

ThumbOne gravatar imageThumbOne ( 2023-01-16 07:04:39 +0000 )edit

The ssdp protocol doesn't have any fields.
Protocol fields are listed under View->Internals->Supported Protocols or the Display Filter Reference.

The example packet does not show a missing uuid.

Chuckc gravatar imageChuckc ( 2023-01-16 15:15:35 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-01-17 15:14:13 +0000

cmaynard gravatar image

You could try the following display filter:

ssdp and (udp contains "NOTIFY") and !(udp contains "uuid")
edit flag offensive delete link more

Comments

Will do. Thanks.

ThumbOne gravatar imageThumbOne ( 2023-01-18 09:01:47 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-01-14 04:17:08 +0000

Seen: 129 times

Last updated: Jan 17