Hello everyone ! Tell me, can I create сapture-filter according to any protocol required me? Signal exchange large, want to reduce the load and file size. Or other suitable - record only those frames in which an occurrence of TCAP ? asked 03 Dec '13, 04:08  Larush |
One Answer:
Capture filters (BPF code) are limited to what they can do as they have to be very fast and loop free as they are executed for every packet recived/sent basicaly they look at a fixed offset into a packet and in higer level protocols the information you are looking for will be at diferent offset in different messages. (ref http://www.cs.ucr.edu/~marios/ethereal-tcpdump.pdf ). But you can use IP address and port to limit capture size. If you are using switch mirroring looking over the mirror setup might help too. answered 03 Dec '13, 05:56  Anders ♦ edited 03 Dec '13, 07:00  Kurt Knochner ♦ |
I work a signalman, I need to analyze the signal exchange between the signal modules, IP address filtering will not reduce the flow of messages. I will study the document.