First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Map LLRP capture info to display filter?

Hi,

I have captured network traffic includes LLRP transactions. In the "Info" column there are descriptions like: (Get Reader Config), (Get Reader Config Response), (Delete AccessSpec), (Keepalive), and more.

I would like to apply display filters to this. Through trial and error, I have figured out how to filter on, Get Reader Config, Get Reader Config Response, & RO Access Report.

The trial & error method is tedious. The issue for me is that the descriptions in the "Info" column do not reflect anything about the filter name. Is there a way to map these to make finding the correct filter easier?

For example, I have:

Low Level Reader Protocol

...0 01.. = Version: 1.0.1 (1)
.... ..00 0011 1110 = Type: Keepalive (62)
Length: 10
ID: 36225

I would like to filter out these from the display with llrp.xxxxx.yyyyyyy. The only filter with the phrase "alive" in the filter list is "llrp.param.keepalive_trig_type". BUT, this does not filter the Keepalive packets I have captured. Instead, "llrp.param.keepalive_trig_type" displays "Set Reader Config" & "Get Reader Config Response".

Is there a simple way that these "Info" descriptions and filter selections can be mapped\related?

WSharkScreenName's avatar
1
WSharkScreenName
asked 2020-01-31 14:35:12 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Here are the associations I have figured out so far. They may be helpful to other users:

llrp.param.conf_value          = (Get Reader Config Response)
llrp.param.gpi_config          = (Get Reader Config Response)
llrp.param.keepalive_trig_type = (Set Reader Config),(Get Reader Config Response) shows both
llrp.req_conf                  = (Get Reader Config)
llrp.param.access_result       = (RO Access Report)

(I hate not having fixed width Courier font as an option here. Also had to put in a bunch of blank lines because of the default formatting)

I'm not sure why different filters seem to act on the command such as (Get Reader Config Response).

WSharkScreenName's avatar WSharkScreenName (2020-01-31 16:23:34 +0000) edit
more
  • delete

@WSharkScreenName, use the "code formatting" option to get fixed width markdown.

grahamb's avatar grahamb (2020-01-31 16:35:49 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Simple? That depends. If you're comfortable reading source code you can find how the Info column text is composed, and which protocol tree items are added doing that. The field info defines the available display filters. If all this makes no sense then no, this is not simple. As said the composition of the Info column is independent of the construction of the protocol tree, as seen in the packet details, were the display filter applies.

Jaap's avatar
13.7k
Jaap
answered 2020-01-31 15:15:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I will not be allowed time to learn Wireshark code. I am pretty loaded with our own code work. I will just work though it. I just don't have the time to become WS code or user expert at this point. Thanks for clarification on this matter though.

WSharkScreenName's avatar WSharkScreenName (2020-01-31 16:28:51 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer