First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

capture filter to filter sctp heartbeat,heartbeat ack and DWR,DWA

  • retag add tags

We have setup a wireshark monitoring server in our lab. We have used capture filter to filter traffic from specific ports. However there is a lot of SCTP heartbeat exchange and Device watch dog requests/responses between the nodes and this is causing overload on the server and the wireshark application is slowing down.

Is it possible to use capture filter on SCTP level to filter out SCTP heartbeat chunks and DWR/DWA? Is this supported yet by the wireshark application? I tried below command for which an answer on this website was provided on 07th Aug 2014. But i got a syntax error.Can you please provide me with correct syntax ?

sudo tcpdump -i eth1 sctp ip[x:1]=04 and ip[x:1]=05

janardhan's avatar
1
janardhan
asked 2022-02-02 19:47:45 +0000
grahamb's avatar
23.8k
grahamb
updated 2022-02-03 08:45:07 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

SCTP is one of the protocols that a capture filter (pcap-filter) understands.

To access data inside the packet, use the following syntax:
proto [ expr : size ]


The RFC (rfc2960) shows there are 12 bytes before the chunk type which is the 13th byte or byte number 12:

                         SCTP Packet format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                        Common Header                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Chunk #1                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           ...                                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Chunk #n                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                         SCTP Common Header Format

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Source Port Number        |     Destination Port Number   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Verification Tag                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Checksum                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                         Chunk Fields

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Chunk Type  | Chunk  Flags  |        Chunk Length           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      \                                                               \
      /                          Chunk Value                          /
      \                                                               \
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

where

   ID Value    Chunk Type
   -----       ----------
   0          - Payload Data (DATA)
   1          - Initiation (INIT)
   2          - Initiation Acknowledgement (INIT ACK)
   3          - Selective Acknowledgement (SACK)
   4          - Heartbeat Request (HEARTBEAT)
   5          - Heartbeat Acknowledgement (HEARTBEAT ACK)
   6          - Abort (ABORT)
   7          - Shutdown (SHUTDOWN)
   8          - Shutdown Acknowledgement (SHUTDOWN ACK)
   9          - Operation Error (ERROR)
   10         - State Cookie (COOKIE ECHO)
   11         - Cookie Acknowledgement (COOKIE ACK)
   12         - Reserved for Explicit Congestion Notification Echo (ECNE)
   13         - Reserved for Congestion Window Reduced (CWR)
   14         - Shutdown Complete (SHUTDOWN COMPLETE)
   15 to 62   - reserved by IETF
   63         - IETF-defined Chunk Extensions
   64 to 126  - reserved by IETF
   127        - IETF-defined Chunk Extensions
   128 to 190 - reserved by IETF
   191        - IETF-defined Chunk Extensions
   192 to 254 - reserved by IETF
   255        - IETF-defined Chunk Extensions

Heartbeat is Type = 4 and HEARTBEAT ACK is Type = 5

A capture filter to drop SCTP type 4 and 5:

sctp[12:1] != 4 and sctp[12:1] != 5

pcap-filter does not break out the diameter protocol so gets more complicated to exclude DWR/DWA.

(The previous Ask question that was mentioned: Capture filter to filter SCTP heartbeak chunks)

Chuckc's avatar
3k
Chuckc
answered 2022-02-02 23:26:26 +0000
grahamb's avatar
23.8k
grahamb
updated 2022-02-03 08:51:00 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer