Wireshark · Ethereal-users: Re: [Ethereal-users] Filter documention

["Martin Regner" <martin.regner@xxxxxxxxx>]

Ben Irving wrote:
>   Is anyone aware of a very detailed document on ethereal filtering.
>The user guide does not cover what I am hoping to do. I would like to
>pull out a number of frames based on frame number, (i.e) frames 1 to
>100000 or frames x to y. It would also be nice to be able to do this
>based on time. 


A display filter of the following type could be useful:
"(frame.number > 1) and (frame.number < 4)"

If you select the "Frame number: 1" field in the panel and use  the menu item "DisplayPrepare/Selected" then you will
get a filter "frame.number == 1" and then it's just to modify the filter to suit your needs.

A filter of the type 
frame.time > "Jun 12, 2003 21:00:48.000002000"
may not be so useful since it compares the strings corresponding to the time for the frames - so I guess that it can give some unexpected results sometimes.

There is also editcap, tcpslice, ngrep and some other tools that can be useful for the thing you want to do.  
http://www.packetfactory.net/Projects/ngrep/

I think that tcpslice and maybe also ngrep can filter based on timestamps.
There was someone that sent a utility splitcap to the ethereal-dev list some days ago - but it has not yet been included with Ethereal distribution (and I had some problems compiling it on Windows that I haven't sorted out yet).

I have included some more info about capture filters and display filters below (extract form an mail I have sent a while ago).

===============================

First of all there is some entries regarding filters in the Ethereal FAQ:

http://www.ethereal.com/faq.html#q5.5  tells about the difference between display filters and capture filters. However the
link to the tcpdump man page is to the man-page for an old version.

http://www.ethereal.com/faq.html#q5.33 tells that you cannot search for a pattern occurring anyware
in the packet

You can make a display filter that searches for a pattern in a fixed position of the frame (frame[63:4]==31:32:45:32) or in a fixed position of a certain protocol layer (e.g. ip[17:3]==62:60:31, data[4:2]==71:34, isup[17:2]==81:22  and so on).
However often this may be to limited to be really useful.

Instead of using a display filter you can e.g. use ngrep to search in the file you captured. Ngrep is a grep-like
command for searching in pcap-files. 
http://www.packetfactory.net/Projects/ngrep/

Depending on what you want to do search for you could try to do a "print to file" (File/Print...  Print to: file, Detailed, ...)
and search in the printout by uing a normal text editor. Thats the method I'm using quite often. 

Capture filters:
===========

In order to know the syntax to be used for capture filters check out the tcpdump/windump manual for the libpcap/WinPcap version you are using.
http://windump.polito.it/docs/manual.htm  (if you are using WinPcap)
http://www.tcpdump.org/tcpdump_man.html

There is also som kind of capture filter guide here:
http://home.insight.rr.com/procana/index.html

I normally use capture filters like:
host 10.10.10.20 and ip
tcp port 5020
host 10.10.10.20 and udp 
udp port 1720
and similar.

However sometimes I have made capture filters to search for a certain pattern in the payload, but normally just use
capture filters to limit the captured data so I will net get to much data.


Display filters:
==========
Display filters are normally more powerful that capture filters in most cases. You can filter
on high-level protocols. 

If you mark one TCP packet you can filter out that TCP stream with Tools/Follow TCP stream.
It's a functionality I'm using often. It will result in a filter looking something like this:
(ip.addr eq 10.10.10.21 and ip.addr eq 10.10.10.29) and (tcp.port eq 6000 and tcp.port eq 1162)

If you mark a row in any packet - you can normally get a display filter by using Display/Match/Selected or Display/Prepare/Selected.
That's probably one of the easiest ways of getting a capture filter. 
For example if you mark the line "Destination port: 80" in the TCP header of a packet and use Display/Prepare/Selected
you will get a display filter "tcp.dstport == 80" in the bottom of the Ethereal windows and then it's just to pres "Apply"
or modify the filter. 
If you want to search for packets to or from port 80 you could e.g. use a filter "(tcp.dstport == 80) or (tcp.srcport == 80)"
But if the field is not a searchable field then ethereal will create a filter of the type frame[x:y] == ....  and
then it may not be so useful.   

Another way of creating display filters is the Edit/Display Filters.../Add Expression.
There you can select the protocol and will be able to see what you can filter on for each protocol.

For more information see the (not completely up-to-date) user-guide:
http://www.ethereal.com/docs/user-guide/ch03dispfilt.html

The Ethereal user guide
http://www.ethereal.com/docs/user-guide/ 
includes information about the searchable fields for different protocols, e.g.
http://www.ethereal.com/docs/user-guide/sidtransmissioncontrolprotocol.html   (TCP)
http://www.ethereal.com/docs/user-guide/sidlightweightdirectoryaccessprotocol.html  (LDAP)
However that information is not up-to-date

Oliver Biot has prepared one for Ethereal 0.9.12:
http://home.tiscali.be/olivier.biot/ethereal/ .

If the data occurrs in a certain position in the packet then it may be possible to genereate a display filter
by using a filter such as frame[62:4]==31:32:37:38, but for example if you want to search for the
a certain pattern in the first octets of the http data payload, then it's better to use a filter data[x:y] as in
the example below: 

Example:
========
Data (10 bytes)

assuming that if you mark "Data (10 byte)" in the protocol tree you see the following hex data highligthed.
03 47 47 47 41 6C 6C 20  00 00 00 .GGGAll ...

then you should get a match for the following display filters
==============
data[0:4] == 03:47:47:47
data[4:4] == 41:6C:6C:20