I am trying to filter out Diameter Capabilities Exchange messages on to top of TCP and SCTP. I was able to create separate filters like (port 3868 and not ether[67:4]=65792) for SCTP and likewise (port 3868 and not ether[71:4]=65792) for TCP. How can I combine those filters or is there some other way to filter Diameter Capabilities Exchange messages? asked 28 Sep '14, 22:36  opex showing 5 of 7 show 2 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
You say "filter out", do you actually mean "filter to only show"?
Are you looking for a capture filter (to restrict the captured data) or a display filter (to restrict the displayed packets from a capture).
Hi grahamb,
I want to get rid of those messages already in the capture filter level.
Are you getting CERs so often that you need to get rid of them at the capture level? To me it would make a lot more sense (and be more reliable) to capture them but just filter them out with a display filter.
Hi JeffMorris,
Yes I am getting CERs so often that I want to ignore them completely.
You could do a two-pass approach, where you save a capture file first then read that file with tshark against a display filter -Y '!diameter.cmd.code==257'.
I am not interested in display filters. Capture filters are the one I am looking for.
If you know exactly how many bytes into the frame you will find the command code, in concept yes you can write a low-level filter in the same way you suggest in the question, bracketing them both and separating them with an "or" operator. However, since you can have more than one chunk in an SCTP message, and since both are variable-length, going with a low-level byte count filter is messy and less reliable than using actual Wireshark disectors (with a display filter).
I can say with experience that you can make dumpcap captures fed into tshark display filters scale very well, and without any reliability issues created with pure capture filters. So, I think the first sentence here answers the direct question you have but I caution against that approach.