First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

compound filter

I need to create a filter to see a particular event that occurs but I am finding it difficult since there are two packets that are always generated...

a frame.len==97 and TLSv1.2 is generated every second twice but it is also generated immediately after a frame.len==118 and TLSv1.2 is generated. I am interested to capture the combination of frame.len==118 and the frame.len==97 that immediately follows and ignore the rest of the frame.len==97 packets that either fall before frame.len==118 packet or otherwise.

Whenever a 118 packet is generated, a 97 follows it immediately within 0.02s.

Can anyone help with this particular filter?

noobie1090904's avatar
1
noobie1090904
asked 2021-04-12 09:55:59 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Do these two frames appear in the same TCP connection? If so, does a filter like frame.len == 97 && tcp.time_delta < 0.02 help out?

If not, a MATE or Lua script might help out, as with MATE and Lua, you are able to keep state and therefor create a filter for packet sequences.

SYN-bit's avatar SYN-bit (2021-04-12 15:11:35 +0000) edit
more
  • delete

Thanks, I'll try this and get back and let you know if the frames are in the same TCP connection!

noobie1090904's avatar noobie1090904 (2021-04-13 07:32:48 +0000) edit
more
  • delete

Are you trying to find delta time greater or less than .02. The filter will display packet that matches tcp delta time, but you will to manually verify if the previous frame was 97 or 112 bytes. Maybe a more specific filter to try to narrow down the output to a couple frames then manually checking the previous frame will be easy.

BigFatCat's avatar BigFatCat (2021-04-15 02:26:49 +0000) edit
more
  • delete

If you have the time, this would be a great exercise to learn Lua plugins for Wireshark.
There are some examples here: Statistic Taps or Post-Dissectors

Or pick your favorite hammer (shell script, spreadsheet, COBOL?), extract the data to a flat file with tshark, process it for frame numbers you care about and at the end output a filter like:

frame.number in {41 42 56 57}

This decouples the packet search from the analysis and allows to use the best tool for each.

Chuckc's avatar Chuckc (2021-04-15 03:09:33 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Display filters only operate on the information in a single frame, to decide whether that frame should be displayed or not, as such they can't create "associations" between frames.

Some protocols include references to other frames in their data, e.g. "this is a response to request in frame xxx" that can be used in display filters, but I don't think that's relevant for your case.

Maybe you could try a filter that selects frames by the bigger length length or the short length and the time delta to the previously displayed packet, e.g.

(frame.len == 118) || ((frame.len == 97) && (frame.time_delta_displayed < 0.02))

Depending on the timings, this might still display frames with length 97 that aren't related to the 118 frame but do occur less than 0.02s after another length 97 frame.

grahamb's avatar
23.8k
grahamb
answered 2021-04-12 10:30:02 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks grahamb, I'll try this and let you know how it works out!

noobie1090904's avatar noobie1090904 (2021-04-13 07:33:27 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer