Ask Your Question
0

tshark filter then remove packet and move on

asked 2019-02-09 23:12:06 +0000

Flo gravatar image

Hi,

I created a small python code to parse a pcap file and count the number of DSCP value, it is working fine, i obtain something like that:

--------------------------------------
DSCP      Value     Packet num.    %         
--------------------------------------
CS0       0         21097          16        
CS1       8         53672          41        
AF11      10        0              0         
AF12      12        0              0         
AF13      14        0              0         
CS2       16        0              0         
AF21      18        0              0         
AF22      20        0              0         
AF23      22        0              0         
CS3       24        0              0         
AF31      26        147            0         
AF32      28        0              0         
AF33      30        0              0         
CS4       32        0              0         
AF41      34        54074          41        
AF42      36        0              0         
AF43      38        0              0         
CS5       40        0              0         
44        44        0              0         
EF        46        0              0         
CS6       48        417            0         
CS7       56        0              0         
--------------------------------------
Now i am trying to use the same semantic to parse a pcap file and the idea is to work like a qos policy-map, with class-map. my code looks like this:
request = "tshark -r " + pcap + " -q -z io,stat,0,\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ af31 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ af22 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ af11 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ cs1 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ default + ")'"

with each variable af31, af22, af11 ... behing string variable like this:

af11 = "(tcp.srcport in { 21 }) or (tcp.dstport in { 21 }) or (tcp.srcport in { 51909 }) or (tcp.dstport in { 51909 }) or (ip.dst == 192.168.85.131) or (ip.dst == 192.168.65.105) or (ip.dst == 192.168.193.50) or (ip.dst == 192.168.246.120) or (ip.src == 192.168.85.131) or (ip.src == 192.168.65.105) or (ip.src == 192.168.193.50) or (ip.src == 192.168.246.120) or (tcp.srcport in { 2051 }) or (tcp.dstport in { 2051 }) or (ip.dst == 192.168.19.213) or (ip.dst == 192.168.114.201) or (ip.dst == 192.168.119.11) or (ip.dst == 192.168.114.200) or (ip.dst == 192.168.119.12) or (ip.dst == 192.168.19.214)"

cs1 = "(tcp)"

This is working but not in a policy-map way, for each "count" i would like to mark that packet as being treated, and so that once it goes in a filter, it can't be counted in another filter later

For example in my script the cs1 variable is matching too many things, even though tshark is just applying the filter a correct way, i would like that every packet that has matched something before that filter to be removed from the next filter check.

So the order of my filter is important, and each packet should be matched only once.

Maybe a solution would be to use my first filter, count the packets, then remove those packets from the big pcap file, and then use my second filter etc... but it seems a bit overkill no ?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-02-13 20:14:08 +0000

Flo gravatar image

I will answer my own question, it was dumb from me, I just need to negate my previous(es) request each time:

request = "tshark -r " + pcap + " -q -z io,stat,0,\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ af31 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ "not " + af31 + " and " + af22 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ "not (" + af31 + " or " + af22 + ") and " +  af11 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ "not (" + af31 + " or " + af22 + " or " + af11 + ") and " + cs1 + ")',\
COUNT'(ip.dsfield.dscp)ip.dsfield.dscp&&( "+ "not (" + af31 + " or " + af22 + " or " + af11 + " or " + cs1 + ") and " + default + ")'"
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-02-09 23:12:06 +0000

Seen: 681 times

Last updated: Feb 13 '19