Wireshark-users: Re: [Wireshark-users] Capture filter expression

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxx>
Date: Wed, 12 Sep 2018 18:46:32 +0000

If you need to ensure that you capture IP fragments, you can add the following to your capture filter: "ip[6:2] & 0x3fff != 0x0000".  Of course you’ll get *all* fragments and not necessarily just those fragments associated with the packets of interest.  That said, you may be able to include other filters, such as host filters, to reduce the number of irrelevant packets.

 

By the way, you can also use "(udp[8:4] = 0x52545053)" instead of "(udp[8] = 0x52 && udp[9] = 0x54 && udp[10] = 0x50 && udp[11] = 0x53)" as your capture filter as it’s more efficient.  Compare:

 

dumpcap -f "udp[8:4] = 0x52545053" -d

Capturing on 'eth0'

(000) ldh      [12]

(001) jeq      #0x800           jt 2    jf 10

(002) ldb      [23]

(003) jeq      #0x11            jt 4    jf 10

(004) ldh      [20]

(005) jset     #0x1fff          jt 10   jf 6

(006) ldxb     4*([14]&0xf)

(007) ld       [x + 22]

(008) jeq      #0x52545053      jt 9    jf 10

(009) ret      #262144

(010) ret      #0

 

vs.

 

dumpcap -f "(udp[8] = 0x52 && udp[9] = 0x54 && udp[10] = 0x50 && udp[11] = 0x53)" -d

Capturing on 'eth0'

(000) ldh      [12]

(001) jeq      #0x800           jt 2    jf 16

(002) ldb      [23]

(003) jeq      #0x11            jt 4    jf 16

(004) ldh      [20]

(005) jset     #0x1fff          jt 16   jf 6

(006) ldxb     4*([14]&0xf)

(007) ldb      [x + 22]

(008) jeq      #0x52            jt 9    jf 16

(009) ldb      [x + 23]

(010) jeq      #0x54            jt 11   jf 16

(011) ldb      [x + 24]

(012) jeq      #0x50            jt 13   jf 16

(013) ldb      [x + 25]

(014) jeq      #0x53            jt 15   jf 16

(015) ret      #262144

(016) ret      #0

 

Anyway, so you might want to start with a capture filter of "(ip[6:2] & 0x3fff != 0x0000) or (udp[8:4] = 0x52545053)" and then go from there.

- Chris

 

 

From: Wireshark-users [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Juanjo Martin Carrascosa
Sent: Wednesday, September 12, 2018 6:06 AM
To: Wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Capture filter _expression_

 

Hi everyone,

 

In the RTPS protocol (IP -> UDP -> RTPS) the payload is identified with the first 4 bytes of the UDP payload (it literally contains "RTPS"). 

 

The problem is that when RTPS packets are bigger than 1500 bytes, they are formed by 2+ IP fragments where only the first one contains the RTPS magic word.

 

That is why this capture filter:

 

"(udp[8] == 'R' && udp[9] == 'T'  && udp[10] == 'P' && udp[11] == 'S')

 

would not work, because this is true only for the first IP fragment. I have tested and verified that other IP fragments (2nd and beyond) are not captured.

 

1) Is there any way to configure Wireshark, pcap or ANYTHING to make it reassemble the fragments first and then evaluate the capture filter?

 

2) Can you think of another way to write a capture filter to only capture RTPS traffic?

 

Regards,

Juanjo Martin

CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information.  This message is intended solely for the use of the addressee.  If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.