Wireshark-users: Re: [Wireshark-users] Filtering on (negated) frame.time_relative filters out wro

From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Sat, 18 Mar 2017 15:01:06 +0100
On 170317-21:30+0100, Miroslav Rovis wrote:
> On 170317-11:29+0000, Graham Bloice wrote:
> > On 17 March 2017 at 11:23, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
> > > Can you try to prepare a smaller capture that can reproduce the
> > > issue which does not contain sensitive passwords?
> 
> Posted:
> 
> The Test Sample for the (Imaginary or Not) Bug
> http://www.croatiafidelis.hr/foss/cap/cap-170313-git-devuan-mail/git-devuan-mail-2.php

I made the follow-up:
http://www.croatiafidelis.hr/foss/cap/cap-170313-git-devuan-mail/git-devuan-mail-3.php

but reading it from top is huge excess and impertinent to point the
developers to, so I'm writing this notice about it. :-)

Pls. just find (somewhere in the middle of the page):

$ tshark -o "ssl.keylog_file: dump_170317_0928_g0n_SSLKEYLOGFILE.txt" -r \
    dump_170317_0928_g0n.pcap  -Y \
    '(!(frame.time_relative == 33.105837782))' \
    -w dump_170317_0928_g0n_noPWft.pcap

and

(
but only if you want to see the rest of my testing, then also find

PASTING
NOTE: you are probably better off downloading (see below) and running first

$ ./dump_170317_0928_g0n_noPWft_TEST1.sh
PASTED
( and also the other scripts, 4 total )

You can see that, because it's the entire tests are in the two, and
later two more, scripts.

The first testing set is on negated filtering on frame.time_relative,
and the second one is on negated filtering on frame.number:

$ tshark -o "ssl.keylog_file: dump_170317_0928_g0n_SSLKEYLOGFILE.txt" -r \
    dump_170317_0928_g0n.pcap  -Y \
    '(!(frame.number == 1070))' \
    -w dump_170317_0928_g0n_noPWfn.pcap

And those two command lines do what I wrote there, pasting from that
page, respectively for the frame.time_relative negated filtering:

PASTING
...Well, I can definitely see the issues I reported to Wireshark ML. The
frame.time_relative == 33.105837782 which belongs to the frame that I
want to remove is gone, but that frame is given a different --not
its own, so wrong-- frame.time_relative, and that frame --that packet--
still remains, while some other frame is removed, and not the one that
the command asked to be removed.
PASTED

and for the frame.number negated filtering:

PASTING
I will still find the password in all the places as previously.
PASTED

I simply get wrong packet out with those filtering.

This is important:
=================
I can post the files that I get, in case you don't get the wrong packet
filtered out with your instance of Wireshark...
=======================================================================

And finally a word for non-developers who are eager to learn a little: I
wrote all that much because I believe it can be useful to newbies. I
like to spread the use of good programs, and I like to read the network,
and show others a tip or two about it if I can. The page is mostly for
you, not the developers.

Regards!

-- 
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: Digital signature