Ethereal-users: Re: [Ethereal-users] How can I set a Filter to capture/display only RPC data
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
Bryan Barnard wrote:
Dear Ethereal,
Read your help pages but I want to be able to filter only on a specific
protocol.
How do I do this?
For capturing, this is difficult. The BPF filtering mechanism was
designed to allow filtering to be done by low-level code in the OS
kernel, so that packets that don't match the filter can be dropped
without being copied to user mode.
The filter is expressed by a program in a "machine language" for a
simple machine; that machine filters one link-layer packet at a time (so
it can't handle fragments of an IP packet other than the first fragment
- it doesn't know that the later fragments are related to the first one.
It *also* doesn't support backward branches, so a user-mode program
can't cause an infinite loop in the filtering code in the kernel
(because it can't cause any type of loop), which limits the type of
filtering it can do.
ONC RPC and DCE RPC requests could perhaps be matched by a very cleverly
written filter that looks for certain values in the payload atop TCP or
UDP (that sort of "heuristic" is how Ethereal identifies ONC RPC and DCE
RPC packets) - but, if a request takes more than one link-layer packet,
that filter would only match the first link-layer packet in the request.
As such, a capture filter that does what you want for ONC RPC or DCE RPC
is, in the general case, not possible; even a limited one, that can't
handle IP fragmentation or TCP segmentation, would be difficult to
construct.
(It's probably even worse for, say, XML-RPC, as the heuristic is
probably more complicated and might involve a loop.)
For *display* filters, it's much easier. "rpc" matches ONC RPC packets,
and "dcerpc" matches DCE RPC packets. (We don't have a filter for
XML-RPC, as we don't have a dissector for it; we just dissect it as XML.
You might be able to filter on the HTTP Content-Type.)
Would it be possible to enable a tick-box selection of items for a
filter like in the 'Enabled Protocols' dialogue?
What we have now, instead of a list such as that, is the "+ Expression"
button in the "Display Filter" dialog. If you click on the "Filter:"
button next to the display filter text box, that pops up that dialog.
The "+ Expression" button next to the filter text box in that dialog (it
might look different in GTK+ 1.2[.x] versions of Ethereal), it pops up a
"Filter Expression" dialog that can be used to construct an expression
in a filter. The list of fields under "Field name" lists the protocols
on which you can filter; if there's a widget (triangle, [+], whatever)
next to the field, you can open that item up and get a list of all the
fields for that protocol. If you click on a protocol (e.g., "RPC" or
"DCERPC"), leave "is present" selected in "Relation", and click "OK",
that'll add to the filter string in the "Display Filter" dialog the
filter name for that protocol. You can then click "OK" to use that filter.
There's also a "+ Expression" button next to the filter field in the
main window, which removes the "Display Filter" dialog step.
