This display filter doesn't work: "!(ssdp.nt matches "uuid:.*") && ssdp.type == NOTIFY"
When I enter it into the Display Filter box the box goes red. I'm wondering why, and if I can diagnose it better. I'm by no means a Wireshark pro and I got this little gem for ChatGPT I admit ;-) FYI this is what ChatGPT wrote:
To filter for NOTIFY packets that lack a UUID in Wireshark, you can use the filter "!(ssdp.nt matches "uuid:.*")" and "ssdp.type == NOTIFY" together.
This filter uses the "!" negation operator to match all NOTIFY packets that do not have a UUID in the NT field of the SSDP packet. The "matches" operator is used in this case because the filter is looking for the occurrence of a specific regular expression pattern.
I'm using Version 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
Here is decoded sample packet:
Frame 221: 396 bytes on wire (3168 bits), 396 bytes captured (3168 bits) on interface eno1, id 0
Interface id: 0 (eno1)
Encapsulation type: Ethernet (1)
Arrival Time: Jan 16, 2023 17:48:52.404348204 AEDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1673851732.404348204 seconds
[Time delta from previous captured frame: 0.007056959 seconds]
[Time delta from previous displayed frame: 22.014788472 seconds]
[Time since reference or first frame: 320.530069532 seconds]
Frame Number: 221
Frame Length: 396 bytes (3168 bits)
Capture Length: 396 bytes (3168 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:ssdp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: ICPElect_d9:b9:5a (00:08:9b:d9:b9:5a), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Destination: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Source: ICPElect_d9:b9:5a (00:08:9b:d9:b9:5a)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: Nessie (192.168.0.13), Dst: 239.255.255.250 (239.255.255.250)
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 382
Identification: 0x0000 (0)
Flags: 0x40, Don't fragment
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 1
Protocol: UDP (17)
Header Checksum: 0xc7bf [validation disabled]
[Header checksum status: Unverified]
Source Address: Nessie (192.168.0.13)
Destination Address: 239.255.255.250 (239.255.255.250)
User Datagram Protocol, Src Port: 46794, Dst Port: 1900
Source Port: 46794
Destination Port: 1900
Length: 362
Checksum: 0xa037 [unverified]
[Checksum Status: Unverified]
[Stream index: 7]
[Timestamps]
UDP payload (354 bytes)
Simple Service Discovery Protocol
NOTIFY * HTTP/1.1\r\n
[Expert Info (Chat/Sequence): NOTIFY * HTTP/1.1\r\n]
Request Method: NOTIFY
Request URI: *
Request Version: HTTP/1.1
HOST:239.255.255.250:1900\r\n
CACHE-CONTROL:max-age=1810\r\n
LOCATION:http://192.168.0.13:8200/rootDesc.xml\r\n
SERVER: 3.4.6-generic Microsoft-Windows/6.1 Windows-Media-Player-DMS/12.0.7601.17514 DLNADOC/1.50 UPnP/1.0 QNAPDLNA/1.0\r\n
NT:uuid:4d696e69-444c-164e-9d41-00089bd9b95a\r ...
Can you provide a sample capture with an example of these packets?
Can do, but isn't the packet content peripheral to the question I have, of valid display filter syntax? For example the display filter "ssdp" is in green background in the display filter field, and shows me all the SSDP packets, I imagine. Yet the display filter "ssdp.type == NOTIFY" sits in a field of red background suddenly and shows me still, all the packets.
udp contains "NOTIFY" works though, green and filters so that only packets with NOTIFY are shown.
Done, added a sample packet.
The
ssdpprotocol doesn't have any fields.Protocol fields are listed under
View->Internals->Supported Protocolsor the Display Filter Reference.The example packet does not show a missing
uuid.