Ethereal-users: Re: [Ethereal-users] Need Help With Capture Filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 24 Apr 2005 01:12:57 -0700
Al Stu wrote:
Need to create a capture filter for Microsoft Messenger Service, NetrSendMessage packets (see attached capture file).

The capture filter can not be based on IP source address or UDP destination port, as these vary.

If those packets have a pattern that appears in all packets at a fixed offset, you could try using the comparison feature in libpcap capture filters; to quote the tcpdump man page:

      expr relop expr
             True  if  the relation holds, where relop is one of >, <,
             >=, <=, =, !=, and expr is an arithmetic expression  com-
             posed  of integer constants (expressed in standard C syn-
             tax), the normal binary operators [+, -, *, /, &, |,  <<,
             >>],  a  length  operator, and special packet data acces-
             sors.  To access data inside the packet, use the  follow
             ing syntax:
                  proto [ expr : size ]
             Proto  is  one of ether, fddi, tr, wlan, ppp, slip, link,
             ip, arp, rarp, tcp, udp, icmp or ip6, and  indicates  the
             protocol  layer  for  the index operation.  (ether, fddi,
             wlan, tr, ppp, slip  and  link  all  refer  to  the  link
             layer.)   Note that tcp, udp and other upper-layer proto-
             col types only apply to IPv4,  not  IPv6  (this  will  be
             fixed  in  the future).  The byte offset, relative to the
             indicated protocol layer, is  given  by  expr.   Size  is
             optional  and  indicates the number of bytes in the field
             of interest; it can be either  one,  two,  or  four,  and
             defaults  to  one.  The length operator, indicated by the
             keyword len, gives the length of the packet.

             For example, `ether[0] & 1 != 0'  catches  all  multicast
             traffic.   The  expression `ip[0] & 0xf != 5' catches all
             IP packets  with  options.   The  expression  `ip[6:2]  &
             0x1fff  = 0' catches only unfragmented datagrams and frag
             zero of fragmented datagrams.  This check  is  implicitly
             applied  to  the  tcp  and  udp  index  operations.   For
             instance, tcp[0] always means the first byte of  the  TCP
             header,  and never means the first byte of an intervening
             fragment.

From your reference to "NetrSendMessage" I assume this is the DCE RPC-based service, but that it's not running over SMB (in which case it'd be TCP traffic on port 139 or 445). If it's *not* running over SMB, there might be some pattern you could construct; you'd have to look at fields such as the DCE RPC version number field (the major version should be 4), as well as at the UUID (you'd want the UUID for Microsoft Messenger).

Constructing a capture filter to match those packets is left as an exercise for the reader.