First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

filter for "data" to match packets

Dear all,

When I run tshark on a particular trace file (file1.pcap) where let's say frame #1 is important to me and I want to search for the exact same frame inside another trace file (file2.pcap), here is what I try to do:

  1. tshark -r file1.pcap -Y frame.number==1 -Tfields -e data This gives me the payload of the frame without its headers as hex stream (same as if I right-click inside the hexpane).
  2. For the other file where the exact same packet is also captured, I try to filter for that hex steam e.g. using tshark -r file2.pcap -Y data=="<paste from step1>" or tshark -r file2.pcap -Y data contains "<subset from that string>"

which both don't work.

However, if I use -Y "data contains 80:00:00" where 80:00:00 is just a random example it works.

So my question is how to match the -Tfields -e data output for "data" filtering without adding colons between every byte :)

Landi's avatar
2.3k
Landi
asked 2018-10-28 17:41:24 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2018-10-29 16:49:48 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

I don't have an answer for your exact question, but I might have a workable alternative for you.

Instead of using the following to get the payload:

tshark -r file1.pcap -Y frame.number==1 -T fields -e data

Try using this instead:

tshark -r file1.pcap -Y frame.number==1 -T fields -e data.data

That will produce the bytes separated by colon's, :, making it easier to copy/paste for the next step:

tshark -r file2.pcap -Y "data==<paste from step1>"

or

tshark -r file2.pcap -Y "data contains <paste of subset from step1>"

It is odd that -Y and -e don't seem to work the same with respect to data and data.data. Maybe file a bug report for that?

EDIT I guess it's not really all that odd after all. data is the name of the protocol whereas data.data is the byte array field of the data dissector. If you were instead to run something like tshark -r file1.pcap -Y frame.number==1 -T fields -e eth, you would see the Ethernet summary line displayed and not the 14 bytes of the Ethernet header. So you're seeing the same with the data dissector here too; it's like the summary line.

Now what's curious is that this summary line should just be text and thus one might expect it to be searchable with the matches (~) operator, as opposed to the contains operator, but that doesn't work. It might be interesting to see if an enhancement could be made to allow for protocol summary lines to work with string operators like matches (~).

cmaynard's avatar
11.1k
cmaynard
answered 2018-10-29 15:24:05 +0000, updated 2018-10-29 16:08:25 +0000
edit flag offensive 0 remove flag delete link
more

Comments

That's exactly what I figured - and for sure that works at least with -Tfields -e data.data and then searching for data==<paste> I'm just confused that the colon seperated output is not available if you right-click into the HEX section using the Wireshark GUI. There you can only copy the HEX stream which is not usable for filtering, so maybe there is room for improvement with the "data" filter here ;)

Landi's avatar Landi (2018-10-29 15:31:22 +0000) edit
more
  • delete

Another possibility?

Step 1:

tshark -o data.md5_hash:TRUE -r file1.pcap -Y frame.number==1 -T fields -e data.md5_hash

Step 2:

tshark -o data.md5_hash:TRUE -r file2.pcap -Y "data.md5_hash == <MD5 hash from step1>"
cmaynard's avatar cmaynard (2018-10-29 15:44:30 +0000) edit
more
  • delete

FYI: Bug 15392 has been opened to address the problem with the matches (~) operator not working with protocols as it should be according to the wireshark-filter man page.

cmaynard's avatar cmaynard (2019-01-03 21:11:10 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer