Ask Your Question

How to write capture filter with offset setting?

asked 2023-04-14 07:06:13 +0000

pac122 gravatar image

updated 2023-04-14 07:08:47 +0000

In Wireshark 4.0.5 inside DRDA protocol I would like to capture only DRDA.SQLSTATEMENT packets.

I have set capture filter tcp dst port 60127 to only capture traffic to specific port. But still there is so many network traffic it easily gets to few gigabytes in few minutes. I would like to filter even more.

To reduce pcapng file I need to add additional capture filter.

I have searched the web and I see for e.g. to get only 443 port I can write: tcp[2:2] = 443 and this works for tests I did. This capture filter starts at TCP segment, offsets 2 bytes (first parameter) and reads 2 bytes (second parameter). I need to write something similar for my example.

To get to my DRDA sample

I have captured DRDA traffic and set display filter: drda.sqlstatement. I have clicked on TCP on Packet Details and I need to get to 24:14 bytes (red rectangle).

I wrote capture filter: tcp[260:2] = 9236 and start capturing traffic and reproduce the SQL statement. But nothing gets captured.

How to write correct capture filter to only display packets SQLSTT?


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2023-04-24 07:06:18 +0000

pac122 gravatar image

I have investigated more in deep for this problem. The major problem is DRDA protocol is much more complicated and does not actually have fixed number of characters since TCP header. It is so not possible to write capture filter to get anything meaningful, except to have big luck to get few of the packets captured this way, but most of them not captured at all.

Conclusion, using offset for capturing DRDA protocol is not meaningful, because DRDA headers change from packet to packet.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-04-14 07:06:13 +0000

Seen: 561 times

Last updated: Apr 24 '23