Ask Your Question
0

Capture filter not working as expected

asked 2023-09-02 08:39:07 +0000

I am capturing traffic from the WAN side of a Draytek 2862 using port mirroring. With no capture filter all works as expected. However I am only interested in specific remote hosts so I create a capture filter of the form ‘pppoes and (src net nnn.nnn.nnn.nnn)’. This works as expected but of course I only see traffic from the source ip. I want to see any response from my router so I modify the capture filter to ‘pppoes and (src net nnn.nnn.nnn.nnn or dst net nnn.nnn.nnn.nnn). No traffic from my router to the destination is seen. The objective is to investigate remote sites probing my vpn - so it may be correct that my system is stealthed and does not respond. But I want to be sure so I repeat the test with a ping from my system to some remote host. With no capture filter I see ping requests and responses. With the filter set as described I only see ping responses. With filter set as ‘pppoes and (dst net nnn.nnn.nnn.nnn)’ I see nothing. Can anyone shed light on this please?

edit retag flag offensive close merge delete

Comments

"With no capture filter all works as expected."

When capturing all, is there a display filter that gives the results you want to get with the capture filter?

ppoes and ip.addr == nnn.nnn.nnn.nnn/mask

Chuckc gravatar imageChuckc ( 2023-09-03 02:48:05 +0000 )edit

How does pppoes and net nnn.nnn.nnn.nnn work for you? See pcap-filter for more details.

Jaap gravatar imageJaap ( 2023-09-03 07:28:50 +0000 )edit

I have tested both suggestions 1) Capture all and use display filter 'pppoes and ip,addr == nnn.nnn.nnn.nnn' works as expected and traffic in both directions is visible - I also get the same result using a display filter without 'pppoes and' 2) using capture filter 'pppoes and ip.addr == nnn.nnn.0.0/16' only captures source traffic. The problem with not specifying a capture filter is that the capture file becomes very large very quickly! My hunch is that I may not be using the correct syntax for a capture filter with pppoes... though the UI shows green.

GrahamRHK gravatar imageGrahamRHK ( 2023-09-03 07:55:39 +0000 )edit

This is the compiled filter (BPF) on Wireshark 4.0.8.
It might be time to start looking at the bytes in the captured packets to see if they would match the filter.

pppoes and net 16.32.48.0
--------------------------
(000) ldh      [12]                 eth.type
(001) jeq      #0x8864          jt 2    jf 15
            0x8864  /* PPPoE Session Protocol */
(002) ldh      [20]                 ppp.protocol
(003) jeq      #0x21            jt 4    jf 8
            0x21    /* Internet Protocol version 4 */
(004) ld       [34]                 ip.src
(005) jeq      #0x10203000      jt 14   jf 6
(006) ld       [38]                 ip.dst
(007) jeq      #0x10203000      jt 14   jf 15
(008) jeq      #0x806           jt 10   jf 9    
          #define ETHERTYPE_ARP 0x0806  /* Addr. resolution protocol */
(009) jeq      #0x8035          jt 10   jf 15   
          #define ETHERTYPE_REVARP  0x8035  /* reverse Addr. resolution protocol */
(010) ld       [36]
(011) jeq      #0x10203000      jt 14   jf 12
(012) ld       [46]
(013) jeq      #0x10203000      jt 14   jf 15
(014) ret      #262144
(015) ret      #0
Chuckc gravatar imageChuckc ( 2023-09-04 17:23:17 +0000 )edit

I have made further progress. Thanks to Chuckc for the advice. The reason the capture filter 'pppoes and dst net nnn.nnn.nnn.nnn' does not work is that the outgoing packets have a VLAN tag which displaces the address fields by 4 bytes. Adding to the filter as follows 'vlan and pppoes and dst net nnn.nnn.nnn.nnn' does capture the outgoing packets. Success! The problem now is how to combine the filters to display the associated outgoing and incoming packets. The documentation is clear that the primitives 'vlan' and 'pppoes' persist through the capture filter string and it seems that 'vlan' has to come first. How do I "turn off" that primitive to capture the incoming packets? I want to do something like (vlan && pppoes && dst nnn.nnn.nnn.nnn) or (pppoes && src nnn.nnn.nnn.nnn) but that is not allowed.

GrahamRHK gravatar imageGrahamRHK ( 2023-09-05 07:09:41 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2023-09-05 08:07:23 +0000

SYN-bit gravatar image

As you noticed, combining BPF filters that contain different layers using the standard operators is not possible. But you can always turn to looking at data at specific offsets yourself. As that is what the compiling of your BPF filter basically does.

So, the simplest way would be to check for the IP addresses at the calculated offsets like: ether[34:4]=0x0a000001 or ether[42:4]=0x0a000001 I'm not sure if I calculated the offsets correctly for your case, but that is easy to verify in the hexdata).

Of course you can extend this to check for the vlan ethertype and pppos ethertype at the correct offsets for incoming and outgoing packets, but I leave that as an exercise to the reader ;-)

edit flag offensive delete link more

Comments

Many thanks for this. Though a long time user of Wireshark, the use of this type of capture filter - and indeed the relevance of BPF - are new to me. I'll try asap and report back.

GrahamRHK gravatar imageGrahamRHK ( 2023-09-06 07:07:00 +0000 )edit

Hi @GrahamRHK, glad I was able to nudge you in a possible solution direction. Looking forward to read your experience :-) One other question, I'm preparing a Sharkfest Preconference (master)class on filtering and your traffic might be a nice example for the class. Are you able to share a pcap of a couple of ping packets (and their replies)? Either on a public file-sharing site or through the email in my profile? Cheers, Sake

SYN-bit gravatar imageSYN-bit ( 2023-09-06 14:29:17 +0000 )edit

Your suggestion works perfectly. Simple and elegant. I can now see traffic in both directions with the correct offsets. I have searched the documentation and can't find anywhere the syntax that you suggested i.e. (in my case) 'ether [34:2]=0xnnmm'. Can you point me in the right direction please? As to providing examples - very happy to do that - let me know what specific features you want to illustrate and I will create. Note that I am monitoring WAN traffic.

GrahamRHK gravatar imageGrahamRHK ( 2023-09-07 07:25:10 +0000 )edit

Glad to hear it works for you!

For documentation references, have a look at

  • the pcap-filter manpage under the topic expr1 relop expr2. You will find some examples.
  • My Sharkfest presentation on BPF filters (PDF, VIDEO)

And for an example pcap file, any file containing some ingress and egress traffic will do, as I'm interested in the asymmetrical protocol layering that you encounter. Just make sure there is no sensitive data in there. So a simple ping and/or public web page retrieval will be fine.

SYN-bit gravatar imageSYN-bit ( 2023-09-07 08:58:29 +0000 )edit

Example sent privately to your email.

GrahamRHK gravatar imageGrahamRHK ( 2023-09-08 07:33:08 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-09-02 08:39:07 +0000

Seen: 349 times

Last updated: Sep 05 '23