Wireshark-users: Re: [Wireshark-users] Filter protocols / traffic that embeds IP information in d

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 9 Aug 2010 17:38:09 +0200
On 9 aug 2010, at 07:18, Hansen, Ulrich Vestergaard B. (E R WP EN ES 4 2) wrote:

> I have a live network running with multiple applications - some of them being self-developed.
> I've tapped into a fat trunk link to capure every conversation between servers and clients.
>  
> I want to filter traffic that embeds IP adresses inside the data field / data segment to identify which applications might have trouble with Network Address Translation - like SIP, FTP and SNMP.
>  
> How do i do that? Any suggestions?.
> I use Wireshark and CACE Pilot.

IP addresses are just data, so it is not possible to just filter on embedded IP addresses without specifying where to expect those IP addresses. You will need to check protocol by protocol on how to achieve this.

For checking FTP you might want to use something like:

(ftp.request.command == "PORT") && (ftp.request.arg matches "192,168,*,*,*,*")

To check whether there are any non-translated 192.168.x.x addresses in the PORT command.

Hope this helps,
Cheers,



Sake