This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark filter

0

Hey there,

Im currently working on a filter that captures source IP address, visited URL and a timestamp.

So far i've been trying: (frame[54:16] == 47:45:54:20:2f:20:48:54:54:50:2f:31:2e:31:0d:0a), which works well on traffic generated from my PC, but I have to change the frame part to frame[66:16] to see traffic generated from apple devices.

Can anybody tell me more about how the frame filter works? I guess It has something to do with location/position in the frame but I dont have a clue why there is 54 for PC traffic and 66 for apple devices. Is there a universal syntax to display traffic from all types of devices?

Best regards

asked 27 Feb '14, 10:51

added's gravatar image

added
16114
accept rate: 0%


2 Answers:

2

Im currently working on a filter that captures source IP address, visited URL and a timestamp.

In Wireshark/TShark, the term "filter" refers to something that a packet does, or doesn't match - i.e., all it does is say "this packet passes" or "this packet doesn't pass". In that context, "capture source IP address" means "packets with this IP source address pass the filter and other packets don't", "capture visited URL" means "packets that are HTTP requests using this URL pass the filter and other packets don't", and "capture timestamp" means "packets with this timestamp pass the filter and other packets don't".

The Wireshark display filter you show looks for "GET / HTTP/1.1{CR}{LF}", so you appear to be trying to construct a filter that passes only HTTP requests with a visited URL of /.

The frame[] filter looks at raw byte values at very specific offsets in the packet. There is no guarantee that the payload of a TCP segment - which is what would contain the HTTP request line in your example - will be at a fixed offset in the packet; the link-layer header is variable-length in some networks such as 802.11, an IPv4 header can have options and thus be bigger than 20 bytes, a TCP header can have options and thus be bigger than 20 bytes, and the packet might have an IPv6 header plus a variable number of extension headers rather than an IPv4 header.

So a frame[] filter is, in general, a lot less useful than people might think.

A tcp[] filter looks at the TCP header and payload, so it's more useful in this case, but it still doesn't handle TCP options making the TCP header bigger than 20 bytes.

What you really want here is:

http.request.method == "GET" and http.request.uri == "/"

which is a LOT easier than trying to match raw bytes in a packet. That one will work no matter how big the link-layer, IP, and TCP headers are.

answered 27 Feb '14, 15:39

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

The difference is 12 bytes so it is most proably the tcp timestamp option that apple supports and your PC doesn't. Try
tcp[20:16]==4745:5420:2f20:4854:5450:2f31:2e31:0d0a || tcp[32:16]==4745:5420:2f20:4854:5450:2f31:2e31:0d0a
or
tcp contains ... to create a more generic filter

answered 27 Feb '14, 12:47

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%