Ask Your Question
0

Can this packet be filtered?

asked 2025-12-25 06:46:53 +0000

shijiseitonashi gravatar image

updated 2025-12-26 09:02:57 +0000

I have a large file with more than 90% of packets coming from one IP. If I was to filter based on IP, I would have to save 90% of the large capture file I have which I'd like to avoid.

Is there any way to specify just one packet with the following details that I got from my IDS?

TIME:              11/06/2025-16:57:44.496934
PKT SRC:           wire/pcap
SRC IP:            redacted1
DST IP:            redacted2
PROTO:             17
SRC PORT:          41893
DST PORT:          45547
FLOW:              to_server: FALSE, to_client: TRUE
FLOW Start TS:     11/06/2025-16:34:02.883356
FLOW PKTS TODST:   28056
FLOW PKTS TOSRC:   43406
FLOW Total Bytes:  58085272
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 34
PACKET LEN:        1494

Further clarification:

  1. I run an IDS and packet capture software simultaneously. What I've posted above is an alert from my IDS about a suspicious packet that it flagged.

  2. I have a packet capture file and I am using suricata as my IDS.

  3. Usually given an IDS alert similar to the above it's quite simple to go to Wireshark and zoom down to the troublesome single packet. I often use an expression like:

    frame.time == "2025-10-13 08:17:35.073949+0200"

  4. The above filter didn't produce any results this time. Using the data from the above IDS summary I've created the follwing filter which has narrowed my search. Of all the packets captured I've narrowed it down to 6.6%.

    (frame.time_epoch >= 1762448264) && (frame.cap_len == 1494) && (ip.src == redacted1) && (udp.srcport == 41893)

Question: Any ideas about how to zoom down even more?

edit retag flag offensive close merge delete

Comments

What exactly is it you're trying to do?

Do you already have a file, and you want to extract that particular packet?

Or do you want to capture traffic from a network interface and capture packet that are just like that packet?

I'm guessing it's the first of those - in which case that's not what a capture filter would be used for in WIreshark or TShark.

Guy Harris gravatar imageGuy Harris ( 2025-12-26 01:29:15 +0000 )edit

Are the packets being decoded as cflow? (Display Filter Reference: Cisco NetFlow/IPFIX)

Which IDS is generating the log entry? Is there a mapping back to the netflow fields the data came from?
You may be able to filter on the SRC PORT, DST PORT, FLOW Start TS and FLOW APP_LAYER if they can be mapped to specific Wireshark fields.

Chuckc gravatar imageChuckc ( 2025-12-26 02:27:59 +0000 )edit

@Guy Harris: Please see the information I've added to my question!

shijiseitonashi gravatar imageshijiseitonashi ( 2025-12-26 09:08:57 +0000 )edit

@Chuckc: The src and dst port are the same for all 6.6% of the packets displaying. Haven't found a way to filter for flow app_layer.

shijiseitonashi gravatar imageshijiseitonashi ( 2025-12-26 09:09:35 +0000 )edit

I think ALPROTO_HTTP2 is 34 so that doesn't help to narrow it down.
AppProtoEnum defined in app-layer-protos.h

Chuckc gravatar imageChuckc ( 2025-12-26 13:51:43 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-12-26 09:34:06 +0000

SYN-bit gravatar image

You can configure Suricata to log the packet generating the Alert (packet=yes) and then you can extract it from the logging.

See also:

Would that fit your needs?

If not, you can filter on the items in the log entry, but it will never be an exact match, unless the timestamps of suricata exactly match the timestamps in the pcaps, which is next to impossible. As the packets pass the different processes separately. The best filter you can make is:

ip.src==<src> and ip.dst==<dst> and udp.srcport==<srcport> and udp.dstport==<dstport> and frame.len==<length> and frame.time_epoch >= <time from log> - <delta> and frame.time_epoch <= <time from log> + <delta>

Where you choose delta to be larger than the max time difference between the timestamps in suricata and the timestamps in the pcap file. Please note that you will need to use the timestamp including the microseconds.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-12-25 06:46:53 +0000

Seen: 87 times

Last updated: Dec 26 '25

Related questions

vlan capture filter ineffective

how make ip filter in tshark????

Capture Filter - Exclude URL Containing Certain String

tshark capture and filter HTTP in WPA2 secured network

Capture filter for vlan tagged packets and non vlan tagged packets of specific ethertype

With a capture filter on a remote interface, where does the filtering occur? Also, how are the packets transmitted?

I need to setup a mac address filter to capture traffic from different devices.

dumpcap problem with multiple interfaces and filter

Unable to display IEEE1722-1 packet in Wireshark 3.0.3

I want to capture concurrently and save it as multiple files where each file has its own distinct capture filter?