Ask Your Question
0

filter for "data" to match packets

asked 2018-10-28 17:41:24 +0000

Landi gravatar image

updated 2018-10-29 16:49:48 +0000

cmaynard gravatar image

Dear all,

When I run tshark on a particular trace file (file1.pcap) where let's say frame #1 is important to me and I want to search for the exact same frame inside another trace file (file2.pcap), here is what I try to do:

  1. tshark -r file1.pcap -Y frame.number==1 -Tfields -e data This gives me the payload of the frame without its headers as hex stream (same as if I right-click inside the hexpane).
  2. For the other file where the exact same packet is also captured, I try to filter for that hex steam e.g. using tshark -r file2.pcap -Y data=="<paste from step1>" or tshark -r file2.pcap -Y data contains "<subset from that string>"

which both don't work.

However, if I use -Y "data contains 80:00:00" where 80:00:00 is just a random example it works.

So my question is how to match the -Tfields -e data output for "data" filtering without adding colons between every byte :)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2018-10-29 15:24:05 +0000

cmaynard gravatar image

updated 2018-10-29 16:08:25 +0000

I don't have an answer for your exact question, but I might have a workable alternative for you.

Instead of using the following to get the payload:

tshark -r file1.pcap -Y frame.number==1 -T fields -e data

Try using this instead:

tshark -r file1.pcap -Y frame.number==1 -T fields -e data.data

That will produce the bytes separated by colon's, :, making it easier to copy/paste for the next step:

tshark -r file2.pcap -Y "data==<paste from step1>"

or

tshark -r file2.pcap -Y "data contains <paste of subset from step1>"

It is odd that -Y and -e don't seem to work the same with respect to data and data.data. Maybe file a bug report for that?

EDIT I guess it's not really all that odd after all. data is the name of the protocol whereas data.data is the byte array field of the data dissector. If you were instead to run something like tshark -r file1.pcap -Y frame.number==1 -T fields -e eth, you would see the Ethernet summary line displayed and not the 14 bytes of the Ethernet header. So you're seeing the same with the data dissector here too; it's like the summary line.

Now what's curious is that this summary line should just be text and thus one might expect it to be searchable with the matches (~) operator, as opposed to the contains operator, but that doesn't work. It might be interesting to see if an enhancement could be made to allow for protocol summary lines to work with string operators like matches (~).

edit flag offensive delete link more

Comments

That's exactly what I figured - and for sure that works at least with -Tfields -e data.data and then searching for data==<paste> I'm just confused that the colon seperated output is not available if you right-click into the HEX section using the Wireshark GUI. There you can only copy the HEX stream which is not usable for filtering, so maybe there is room for improvement with the "data" filter here ;)

Landi gravatar imageLandi ( 2018-10-29 15:31:22 +0000 )edit

Another possibility?

Step 1:

tshark -o data.md5_hash:TRUE -r file1.pcap -Y frame.number==1 -T fields -e data.md5_hash

Step 2:

tshark -o data.md5_hash:TRUE -r file2.pcap -Y "data.md5_hash == <MD5 hash from step1>"
cmaynard gravatar imagecmaynard ( 2018-10-29 15:44:30 +0000 )edit

FYI: Bug 15392 has been opened to address the problem with the matches (~) operator not working with protocols as it should be according to the wireshark-filter man page.

cmaynard gravatar imagecmaynard ( 2019-01-03 21:11:10 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-10-28 17:41:24 +0000

Seen: 5,076 times

Last updated: Oct 29 '18