Ask Your Question

ZGP protocol - Source ID filter

asked 2024-03-09 17:17:18 +0000

Dum gravatar image

updated 2024-03-09 19:24:00 +0000

Hi, I struggle to filter the packets by Source ID... I want to display all the packets which the source id (type Unsigned integer) start with the same four first value. I try contains, matches, slice operator... it doesn't work. Do you have an idea how to do that ?

edit retag flag offensive close merge delete


Display Filter Reference: ZigBee Green Power Profile
It's the zbee_nwk_gp.source_id field you want to match on?
Can you provide an example of "same fourth first value".

Chuckc gravatar imageChuckc ( 2024-03-09 17:47:06 +0000 )edit

Thanks for your answer, yes it's this field. for exemple i want all the packets which IDs start with 0xab12 I have found the solution, i use frame[] to find specific bytes corresponding to the four first number of the ID

Dum gravatar imageDum ( 2024-03-09 19:23:49 +0000 )edit

Thanks for the example. I'll write up an answer with sample capture file for future reference.

Chuckc gravatar imageChuckc ( 2024-03-09 20:43:41 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2024-03-09 22:15:06 +0000

Chuckc gravatar image

updated 2024-03-09 22:23:14 +0000

(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)

The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.

$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).

$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
     58 0x78417788
     46 0xab361a07
      3 0xffffffff

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
    zbee_nwk_gp.source_id matches 7841
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparison.
    zbee_nwk_gp.source_id matches "7841"

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains comparison.
    zbee_nwk_gp.source_id contains "7841"

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence of bytes.
    zbee_nwk_gp.source_id[0:2] == 78:41

Field is Uint32 - Display Filter Reference: ZigBee Green Power Profile

Field name              Description     Type                        Versions
zbee_nwk_gp.source_id   Src ID          Unsigned integer (32 bits)  1.12.0 to 4.2.

Two ways (there could be more) to search for specific bytes in the field:

1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
     58     652    5560

2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes

It is now possible to filter on raw packet data for any field by using the syntax @some.field == <bytes…​>.

WSUG - 6.4.6. The At Operator

$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
     58     652    5560

Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.

Field as displayed in the Packet Details:

Src ID: Unknown (0x78417788)

Field as seen in the Packet Bytes:

0000  88 77 41 78
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2024-03-09 17:17:18 +0000

Seen: 50 times

Last updated: Mar 09