Re: Capture filter expression

["Maynard, Chris" <Christopher.Maynard () IGT com>]

If you need to ensure that you capture IP fragments, you can add the following to your capture filter: "ip[6:2] & 
0x3fff != 0x0000".  Of course you’ll get *all* fragments and not necessarily just those fragments associated with the 
packets of interest.  That said, you may be able to include other filters, such as host filters, to reduce the number 
of irrelevant packets.

By the way, you can also use "(udp[8:4] = 0x52545053)" instead of "(udp[8] = 0x52 && udp[9] = 0x54 && udp[10] = 0x50 && 
udp[11] = 0x53)" as your capture filter as it’s more efficient.  Compare:

dumpcap -f "udp[8:4] = 0x52545053" -d
Capturing on 'eth0'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 10
(002) ldb      [23]
(003) jeq      #0x11            jt 4    jf 10
(004) ldh      [20]
(005) jset     #0x1fff          jt 10   jf 6
(006) ldxb     4*([14]&0xf)
(007) ld       [x + 22]
(008) jeq      #0x52545053      jt 9    jf 10
(009) ret      #262144
(010) ret      #0

vs.

dumpcap -f "(udp[8] = 0x52 && udp[9] = 0x54 && udp[10] = 0x50 && udp[11] = 0x53)" -d
Capturing on 'eth0'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 16
(002) ldb      [23]
(003) jeq      #0x11            jt 4    jf 16
(004) ldh      [20]
(005) jset     #0x1fff          jt 16   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 22]
(008) jeq      #0x52            jt 9    jf 16
(009) ldb      [x + 23]
(010) jeq      #0x54            jt 11   jf 16
(011) ldb      [x + 24]
(012) jeq      #0x50            jt 13   jf 16
(013) ldb      [x + 25]
(014) jeq      #0x53            jt 15   jf 16
(015) ret      #262144
(016) ret      #0

Anyway, so you might want to start with a capture filter of "(ip[6:2] & 0x3fff != 0x0000) or (udp[8:4] = 0x52545053)" 
and then go from there.
- Chris


From: Wireshark-users [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Juanjo Martin Carrascosa
Sent: Wednesday, September 12, 2018 6:06 AM
To: Wireshark-users () wireshark org
Subject: [Wireshark-users] Capture filter expression

Hi everyone,

In the RTPS protocol (IP -> UDP -> RTPS) the payload is identified with the first 4 bytes of the UDP payload (it 
literally contains "RTPS").

The problem is that when RTPS packets are bigger than 1500 bytes, they are formed by 2+ IP fragments where only the 
first one contains the RTPS magic word.

That is why this capture filter:

"(udp[8] == 'R' && udp[9] == 'T'  && udp[10] == 'P' && udp[11] == 'S')

would not work, because this is true only for the first IP fragment. I have tested and verified that other IP fragments 
(2nd and beyond) are not captured.

1) Is there any way to configure Wireshark, pcap or ANYTHING to make it reassemble the fragments first and then 
evaluate the capture filter?

2) Can you think of another way to write a capture filter to only capture RTPS traffic?

Regards,
Juanjo Martin
CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and 
may contain proprietary, confidential or trade secret information.  This message is intended solely for the use of the 
addressee.  If you are not the intended recipient and have received this message in error, please delete this message 
from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is 
strictly prohibited.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe