Hi, It seems to not be possible to add 104asdu as a capture filter in the capture options window. Any ideas of how to get this working or can someone confirm that it is a bug? Maybe we can add it to a list of bugs? It takes up so much disk space if I can't use a capture filter :/ Best regards, Richard asked 12 Nov '14, 01:07  Richard Pren... |
One Answer:
That's a high-level protocol (IEC60870-5-104) field, the capture filter system has no knowledge of that protocol (it stops around tcp\udp) so you can't create a capture filter for the field. See the Wiki page on Capture Filters for more info. You can filter the capture by IP\port, which might help, but if the volume of traffic for the device is still too high, you might be able to create a capture filter by matching bytes at specific offsets in the packet, if the relevant IEC fields always appear at the same offset. answered 12 Nov '14, 03:44  grahamb ♦ |
Thanks Grahamb,
I just find it strange because I can filter for 104asdu in the main window (Filter field). Here I can filter all kinds of parameters which are very useful (e.g. 104asdu.ioa, 104asdu.typeid, 104asdu.addr etc). I thought because it is possible to filter here that it would be possible to filter in the capture options (using the same filters).
Best regards,
Richard
Capture Filters and Display Filters are two quite different beasts, that often confuse folks. The users guide has lots of useful information about the two types of filters, but basically Capture Filters are lean and efficient to operate with high traffic rates, so they only "know" about a limited set of protocols and filter options, whereas Display Filters can handle any field in Wireshark with many different comparison options.