First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How do I find two consecutive frames from the same IP source address

  • retag add tags

I have a capture file where two source addresses normally alternate so frame.number will increment and the ip.src will alternate between the two addresses. In a fault condition, one source address will not transmit for a few packets. In that case the frame.number increments but ip.src remains the same. How do I create a display filter to show the fault condition?

Roche's avatar
1
Roche
asked 2021-04-01 09:35:26 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

1

You can't. Display filters operate in each packet in turn deciding whether it should be displayed or not based on the content of that packet, you can't reference any other packet.

You could use tshark to output the data and then use a post-processing script to check for the violations. A suitable invocation of tshark to just output the frame number and source ip address in csv form would be:

tshark -r <capture file> -T fields E "separator=," -e frame.number -e ip.src <optional display filter>

the <optional display filter> is if you need to add one to restrict the output to your protocol. On Windows you will need to provide the full path to tshark (usually C:\Program Files\Wireshark\tshark) as it's not on the path.

grahamb's avatar
23.8k
grahamb
answered 2021-04-01 09:52:05 +0000, updated 2021-04-01 10:10:47 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks Graham, I really appreciate the answer and the quick response, Regards, Roche

Roche's avatar Roche (2021-04-01 10:04:20 +0000) edit
more
  • delete

If it's a one off, tshark with a script or into a spreadsheet is probably quickest.

If something to be done on a regular basis (and ok with Lua), look at ip_src_alternate.lua in the Contrib section of the Wireshark Wiki

Chuckc's avatar Chuckc (2021-04-01 17:18:04 +0000) edit
more
  • delete

Sometimes you can solve this kind of problem if the higher level protocol dissectors have a "request in/answer in" field, and filter on all request packets which have no "answer in" field (e.g. ICMP echo request packets).

Jasper's avatar Jasper (2021-04-02 13:34:03 +0000) edit
more
  • delete

You may be able to visually spot the condition by plotting it using Statistics -> I/O Graphs. Add 2 graph entries:

  • IP Source 1, ip.src eq x.x.x.x, Y Axis = Packets
  • IP Source 2, ip.src eq y.y.y.y, Y Axis = Packets

In the normal case, you should see alternating spikes; in the fault condition, they won't alternate. You may need to adjust the Colors, Styles and Interval setting to better see the 2 distinct plots, depending on your needs.

cmaynard's avatar cmaynard (2021-04-02 14:07:02 +0000) edit
more
  • delete

Another idea where you might be able to spot the fault condition visually would be to apply a new coloring rule (View -> Coloring Rules) for packets matching IP Source 1 and a different coloring rule for packets matching IP Source 2.

cmaynard's avatar cmaynard (2021-04-02 14:19:41 +0000) edit
more
  • delete
add a comment see more comments
0

Follow TCP stream or follow UDP stream would be my first step.

hugo.vanderkooij's avatar
76
hugo.vanderkooij
answered 2021-04-02 11:58:49 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

If:

  • the packets from IP1 belong to the same UDP or TCP stream and
  • the packets from IP2 belong to the same UDP or TCP stream and
  • the packets are sent at regular intervals (like 20ms for RTP for instance)

Then you can filter on the stream delta times:

udp.time_delta > 0.025 or tcp.time_delta > 0.025

Another way would be to filter or search on the frame.number itself being odd or even in combination with the IP addresses, but then you need to know the starting conditions. If IP1 is on the odd frame.numbers and IP2 is on the even frame.numbers, then the following filter will spot packets that do not follow the pattern:

(ip.addr==<IP1>and not frame.number&1) or (ip.addr==<IP2> and frame.number&1)

SYN-bit's avatar
18.5k
SYN-bit
answered 2021-04-02 23:46:25 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Need more coffee. Took a bit for that to click. :-)
Display Filter comparison operators
bitwise_and & Bitwise AND is non-zero tcp.flags & 0x02

Chuckc's avatar Chuckc (2021-04-02 23:58:37 +0000) edit
more
  • delete

The frame number comparison will fail if there is traffic in the capture other than that being tested.

grahamb's avatar grahamb (2021-04-03 10:20:54 +0000) edit
more
  • delete

@grahamb True, it will fail if there is other traffic, but I took the original question literally:

I have a capture file where two source addresses normally alternate so frame.number will increment and the ip.src will alternate between the two addresses.

SYN-bit's avatar SYN-bit (2021-04-04 15:37:31 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer