Hello, i'm trying to filter some ssl record using ssl.record.content_type==22 but i'm facing a problem if a frame contains 22 and 23 for example, it appears is there a way i can force wireshark to filter the frames that "ONLY" contains 22 not 22 and 23 and w.e ? thanks for the help :) asked 02 Oct '13, 00:25  Ziad Kiwan edited 02 Oct '13, 02:04  grahamb ♦ |
2 Answers:
This is one of the few cases where the "!=" operator does come in handy, the following filter should work too: Which translates to: There is an occurrence of field ssl.record.content_type that has the value 22 and there is not an occurrence of field ssl.record.content_type that does not have the value 22. answered 02 Oct '13, 11:17  SYN-bit ♦♦ showing 5 of 7 show 2 more comments |
++ UPDATE ++ Please try this (works on my system)
Sample #1: With the simple filter, you'll get frames with multiple (different) content types as well.
Result: Sample #2: With the modified filter, you'll get only frames with exactly the content type 22.
Result: Regards answered 02 Oct '13, 00:42  Kurt Knochner ♦ edited 02 Oct '13, 08:02 there is a lot of ssl.record.content_type not only 23 there is too much (02 Oct '13, 00:52) Ziad Kiwan O.K. maybe I misinterpreted your question. I thought you might have several SSL frames stacked in another protocol. Based on your last comment, that's probably not the case. So, can you please rephrase your question? Because, if you use the following filter
you will only see frames with that content type (Handshake). The same holds true for 23.
How does that happen? Can you post a sample capture somewhere (google docs, dropbox, cloudshark). (02 Oct '13, 06:21) Kurt Knochner ♦ no sorry i don't have a sample on hands now,what is happening that when i use ssl.record.content_type==22 as a filter frame that contains content type 22 is appearing even the ones that contains 22 and 23 or even any other content type id and i want only the frames that contains ssl content type 22 exactly appear (02 Oct '13, 07:38) Ziad Kiwan O.K. then we need a sample capture where that happens, because if I filter for content type 22 I only get those frames. BTW: What is your OS and Wireshark version? (02 Oct '13, 07:41) Kurt Knochner ♦ Ubuntu 13.04 and wireshark 1.8.2 (02 Oct '13, 07:43) Ziad Kiwan O.K. nothing suspicious with those. So again, we need a sample capture file where it happens what you describe. (02 Oct '13, 07:45) Kurt Knochner ♦ O.K. now I got what you wanted. Please see the UPDATE in my answer. (02 Oct '13, 07:55) Kurt Knochner ♦ i think that its thanks for the help! real appreciated! (02 Oct '13, 08:13) Ziad Kiwan Hello i tried it now it didn't work :/ 22 isn't appearing at all now idk why (02 Oct '13, 08:16) Ziad Kiwan well, it works on my system, however I used Wireshark 1.10.2. (02 Oct '13, 08:19) Kurt Knochner ♦ I did a quick test with 1.8.6 (Windows XP) and it works as well. (02 Oct '13, 08:21) Kurt Knochner ♦ never mind something is messing with my filter now i need to find it out thanks for the help tho (02 Oct '13, 08:23) Ziad Kiwan here is a sample file: Please run these two commands and post the output (only part of it) here.
(02 Oct '13, 08:27) Kurt Knochner ♦ its fine i found the problem now when i forgot replaced the old filter with the new one i messed up it messed up a bit thanks again (02 Oct '13, 08:29) Ziad Kiwan showing 5 of 14 show 9 more comments |
actually your filter works better than mine, as your filter only prints the frames with content_type 22, whereas my filter also prints frames with no content_type at all.
What's missing in my filter statement is: ssl.record.content_type == 22
The second part of your filter statement (not ssl.record.content_type != 22) is logically the same statement as the statement in my answer, only shorter.
Therefore your answer should be selected as the right one. I would have done it myself, but the system did not allow me to do it.
Yes indeed the second part of my filter is logically the same as your filter. I was just happy to (finally) have an example where the “!=” operator is of use.
In my wireshark trainings I have always mentioned that there is a use case, but that I can’t think of one… now I can :-)
Yep, although it’s hard to understand if you look at it the first time, as it looks somehow ‘not right’, probably due to the double negation, which human brains can’t handle well.
Anyway, this is something new I learned about Wireshark :-)
Please mark your answer as the correct one.
As you have moderator rights now, you should be able to do that yourself. Can you check?
I did. It does not work.
I unchecked the first answer, then I could check the 2nd one.
Ah, very good. Thanks.