First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Filter based on other field value

Hello experts,

I'm currently analyzing GTP data, and I would like to make a dynamic filter, to find all user plane traffic related to that GTP session.

I've been searching for it, but couldn't find anything.

So, basically the idea is that I create a IP Filter based on the IP contained in the gtp.user_ipv4 field of GTP Create PDP Context Response.

I've tried the following: ip.addr==gtp.user_ipv4

But didn't get any results, so I wonder if there is a way to do it or not. If not, would Wireshark developers consider doing it for future releases?

thepacketwizards's avatar
3
thepacketwizards
asked 2018-12-02 14:10:19 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Have you tried the next format?

ip.addr==${gtp.user_ipv4}

image description

Packet_vlad's avatar
1.1k
Packet_vlad
answered 2018-12-02 14:29:38 +0000, updated 2018-12-02 15:55:11 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Just did, but unfortunately wireshark regards this filter as invalid.

thepacketwizards's avatar thepacketwizards (2018-12-02 14:52:16 +0000) edit
more
  • delete

Keep in mind you have to select a packet containing gtp.user_ipv4 field first and then type the filter expression.

Packet_vlad's avatar Packet_vlad (2018-12-02 15:06:03 +0000) edit
more
  • delete

Thank you very much! Is there any other way to do it without clicking on the packet?

thepacketwizards's avatar thepacketwizards (2018-12-02 22:34:47 +0000) edit
more
  • delete

By clicking on the packet you define a source for the filter argument. Otherwise if you have for example 100 different packets with different gtp.user_ipv4 values in a trace - which one should the filter use?

For me, optimal routine is:

  1. Write the filter expression;

  2. Create filter button and give it descriptive name (like "This GTP user");

  3. Just click on the packet needed and click on filter button.

Packet_vlad's avatar Packet_vlad (2018-12-03 10:43:13 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer