Ask Your Question

Revision history [back]

Theis display filer doesn't work:!(ssdp.nt matches "uuid:.*") && ssdp.type == NOTIFY

When I enter it into the Display Filter box the box goes red. I'm wondering why, and if I can diagnose it better. I'm by no means a Wireshark pro and I got this little gem for ChatGPT I admit ;-) FYI this is what ChatGPT wrote:

To filter for NOTIFY packets that lack a UUID in Wireshark, you can use the filter "!(ssdp.nt matches "uuid:.*")" and "ssdp.type == NOTIFY" together.

This filter uses the "!" negation operator to match all NOTIFY packets that do not have a UUID in the NT field of the SSDP packet. The "matches" operator is used in this case because the filter is looking for the occurrence of a specific regular expression pattern.

I'm using Version 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Theis display filer doesn't work:!(ssdp.nt matches "uuid:.*") && ssdp.type == NOTIFY

When I enter it into the Display Filter box the box goes red. I'm wondering why, and if I can diagnose it better. I'm by no means a Wireshark pro and I got this little gem for ChatGPT I admit ;-) FYI this is what ChatGPT wrote:

To filter for NOTIFY packets that lack a UUID in Wireshark, you can use the filter "!(ssdp.nt matches "uuid:.*")" and "ssdp.type == NOTIFY" together.

This filter uses the "!" negation operator to match all NOTIFY packets that do not have a UUID in the NT field of the SSDP packet. The "matches" operator is used in this case because the filter is looking for the occurrence of a specific regular expression pattern.

I'm using Version 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Theis This display filer filter doesn't work:!(ssdp.nt work: "!(ssdp.nt matches "uuid:.*") && ssdp.type == NOTIFYNOTIFY"

When I enter it into the Display Filter box the box goes red. I'm wondering why, and if I can diagnose it better. I'm by no means a Wireshark pro and I got this little gem for ChatGPT I admit ;-) FYI this is what ChatGPT wrote:

To filter for NOTIFY packets that lack a UUID in Wireshark, you can use the filter "!(ssdp.nt matches "uuid:.*")" and "ssdp.type == NOTIFY" together.

This filter uses the "!" negation operator to match all NOTIFY packets that do not have a UUID in the NT field of the SSDP packet. The "matches" operator is used in this case because the filter is looking for the occurrence of a specific regular expression pattern.

I'm using Version 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Here is decoded sample packet:

Frame 221: 396 bytes on wire (3168 bits), 396 bytes captured (3168 bits) on interface eno1, id 0
    Interface id: 0 (eno1)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jan 16, 2023 17:48:52.404348204 AEDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1673851732.404348204 seconds
    [Time delta from previous captured frame: 0.007056959 seconds]
    [Time delta from previous displayed frame: 22.014788472 seconds]
    [Time since reference or first frame: 320.530069532 seconds]
    Frame Number: 221
    Frame Length: 396 bytes (3168 bits)
    Capture Length: 396 bytes (3168 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:ssdp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: ICPElect_d9:b9:5a (00:08:9b:d9:b9:5a), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
    Destination: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
    Source: ICPElect_d9:b9:5a (00:08:9b:d9:b9:5a)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: Nessie (192.168.0.13), Dst: 239.255.255.250 (239.255.255.250)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 382
    Identification: 0x0000 (0)
    Flags: 0x40, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 1
    Protocol: UDP (17)
    Header Checksum: 0xc7bf [validation disabled]
    [Header checksum status: Unverified]
    Source Address: Nessie (192.168.0.13)
    Destination Address: 239.255.255.250 (239.255.255.250)
User Datagram Protocol, Src Port: 46794, Dst Port: 1900
    Source Port: 46794
    Destination Port: 1900
    Length: 362
    Checksum: 0xa037 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 7]
    [Timestamps]
    UDP payload (354 bytes)
Simple Service Discovery Protocol
    NOTIFY * HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): NOTIFY * HTTP/1.1\r\n]
        Request Method: NOTIFY
        Request URI: *
        Request Version: HTTP/1.1
    HOST:239.255.255.250:1900\r\n
    CACHE-CONTROL:max-age=1810\r\n
    LOCATION:http://192.168.0.13:8200/rootDesc.xml\r\n
    SERVER: 3.4.6-generic Microsoft-Windows/6.1 Windows-Media-Player-DMS/12.0.7601.17514 DLNADOC/1.50 UPnP/1.0 QNAPDLNA/1.0\r\n
    NT:uuid:4d696e69-444c-164e-9d41-00089bd9b95a\r\n
    USN:uuid:4d696e69-444c-164e-9d41-00089bd9b95a\r\n
    NTS:ssdp:alive\r\n
    \r\n
    [Full request URI: http://239.255.255.250:1900*]

And I am watching for packets where USN:uuid is empty or NT:uuid is empty. Some device is broadcasting these on my LAN causing Kodi to crash. Kodi bug. But I still want to know which device is doing that.