Wireshark mailing list archives
Re: SIP filter issues
From: Guy Harris <guy () alum mit edu>
Date: Mon, 16 Jan 2012 13:22:59 -0800
On Jan 16, 2012, at 12:13 PM, Manolis Katsidoniotis wrote:
Question 1 In order to reduce captured traffic we also use capture filters. However the "highest" layer I can see is TCP/UDP (using ports).
Yes. The capture filter mechanism, as described in
http://www.tcpdump.org/papers/bpf-usenix93.pdf
involves a fairly simple pseudo-machine language, with an interpreter in the kernel, so the pseudo-machine language
doesn't, for example, support loops, to prevent infinite loops from being run in the kernel. Its filtering
capabilities are somewhat limited, and the compiler that translates filtes into pseudo-machine code is also somewhat
limited.
I’m not familiar with higher layer examples like the smtp below
If "the smtp below" refers to the screenshot of the list of capture filters, those aren't really higher-layer examples. "Non-HTTP and non-SMTP to/from www.wireshark.org" isn't a filter, it's just a name given to the filter in the filter list; the actual filter is just "not port 80 and not port 25 and host www.wireshark.org", i.e. it's just testing the TCP port number for "non-HTTP" and "non-SMTP".
but especially for SIP or even capture filter examples of the type field[4:18]>200 in which case I could filter out half the clause during capture and the other half during viewing
At best, you could do something along the lines of what's done here:
http://seclists.org/tcpdump/2004/q4/95
That filter is comparing the first 4 bytes of the TCP payload with 0x47455420 (big-endian), i.e. with "GET ".
Question 2 The filter I used as example is not actually used in wireshark. It is provided as input in tshark which reads files and produces some statistics for view (like below – it actually runs through a simple script and reads each file separately). Is this the same case (I mean when I use tshark)
Yes. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- SIP filter issues Manolis Katsidoniotis (Jan 16)
- Re: SIP filter issues Guy Harris (Jan 16)
- Re: SIP filter issues Manolis Katsidoniotis (Jan 16)
- Re: SIP filter issues Guy Harris (Jan 16)
- Re: SIP filter issues Manolis Katsidoniotis (Jan 16)
- Re: SIP filter issues Guy Harris (Jan 16)