This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture from custom libpcap-based sniffer not honoring all display filters

0

I "inherited" a custom sniffer program that is capturing traffic using libpcap.

When I try to use display filters such as "http.request" and "http.response", no traffic is displayed in Wireshark. However, when I just use "http", I see all of the packets I would expect.

Can anyone give me some hints as to what I should be looking at more closely at this custom code that would affect the ability to use these filters? I'm not a libpcap expert

asked 28 Oct '11, 11:36

dturkel's gravatar image

dturkel
6112
accept rate: 0%


3 Answers:

1

Another option: Your sniffer program limits the capture to the first 68 bytes of the frame. Then you'll have http, but the dissector is unable to parse an http request or response field. Hence the http display filter works, http.request and http.response don't.

answered 29 Oct '11, 11:13

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

The same thought occurred to me this morning over coffee. There was an option to provide the number of bytes to capture, and I increased this... and bingo, problem solved. Thanks very much!

(29 Oct '11, 15:19) dturkel

0

libpcap doesn't use Wireshark display filters, it uses capture filters. It seems that your custom sniffer appends your filter string to "port ", then feeds it to libpcap. That way "port http" results in BPF filter code, while compilation of "port http.request" and "http.response" does not.

answered 28 Oct '11, 15:08

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks Jaap.

What I'm trying to do is select/display a capture from the custom sniffer in Wireshark, applying the display filter "http.response".

The custom sniffer does not apply any filters (which is desired, because there are quite a few other non-http filters that need to be applied as well (e.g. for SMB and other higher-level protocols).

(28 Oct '11, 15:55) dturkel

0

libcap does not accept wireskark filters but tcpdump filters.

Look at justniffer for an example of sniffer using libcap libraries

answered 03 Nov '11, 04:13

Augustyn's gravatar image

Augustyn
1
accept rate: 0%