Ask Your Question
0

Filter based on other field value

asked 2018-12-02 14:10:19 +0000

thepacketwizards gravatar image

Hello experts,

I'm currently analyzing GTP data, and I would like to make a dynamic filter, to find all user plane traffic related to that GTP session.

I've been searching for it, but couldn't find anything.

So, basically the idea is that I create a IP Filter based on the IP contained in the gtp.user_ipv4 field of GTP Create PDP Context Response.

I've tried the following: ip.addr==gtp.user_ipv4

But didn't get any results, so I wonder if there is a way to do it or not. If not, would Wireshark developers consider doing it for future releases?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-12-02 14:29:38 +0000

Packet_vlad gravatar image

updated 2018-12-02 15:55:11 +0000

Have you tried the next format?

ip.addr==${gtp.user_ipv4}

image description

edit flag offensive delete link more

Comments

Just did, but unfortunately wireshark regards this filter as invalid.

thepacketwizards gravatar imagethepacketwizards ( 2018-12-02 14:52:16 +0000 )edit

Keep in mind you have to select a packet containing gtp.user_ipv4 field first and then type the filter expression.

Packet_vlad gravatar imagePacket_vlad ( 2018-12-02 15:06:03 +0000 )edit

Thank you very much! Is there any other way to do it without clicking on the packet?

thepacketwizards gravatar imagethepacketwizards ( 2018-12-02 22:34:47 +0000 )edit

By clicking on the packet you define a source for the filter argument. Otherwise if you have for example 100 different packets with different gtp.user_ipv4 values in a trace - which one should the filter use?

For me, optimal routine is:

  1. Write the filter expression;

  2. Create filter button and give it descriptive name (like "This GTP user");

  3. Just click on the packet needed and click on filter button.

Packet_vlad gravatar imagePacket_vlad ( 2018-12-03 10:43:13 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-12-02 14:10:19 +0000

Seen: 429 times

Last updated: Dec 02 '18

Related questions

display filtering and sll?

many to many comparision [display private networks as example]

ip.flags.sf not supported?

Is it possible to filter to ignore capture before and after a particular time stamps?

Why are ranges not possible in display filter frame.number?

Filter only within displayed packets (without re-analyzing entire file)

I cannot enter a filter for tcp port 61883. What is so special about this number?

tshark smtp filter decode.

Wireshark expression filters (Wireless Capture)

Updating MATE config