Wireshark-users: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 28 Jun 2007 10:20:17 +0200
On Thu, Jun 28, 2007 at 03:21:18PM +0900, Mitsuho Iizuka wrote:
> 
> > > I would like to write scripts as follows,
> > > 
> > > (tcp.ports != 400 && tcp.ports !=401 && .... && tcp.ports = 800)
> > > 
> > > of course, port number is not sequencial.
> > 
> > Are the frame numbers sequential?  Is there a pattern to the tcp port 
> > numbers that you want to include/exclude?
> 
> Frame numbers are not sequential. Those are many Load Balancer(LB)
> helth check packets(1 packet/2 seconds) against LDAP on SSL, and
> a few target packets I would like to analyze. My previous question
> was a result to exclude unwanted packets. The pattern is helth
> check packets failed to get SSL.alert because of bad exchange key
> on LB.  That's why all src.port packets have same port number
> of SSL.alert packet. The port number above were extracted port
> number including SSL.alert. Now I have 400 unwanted ports. 

Healthchecks doen by LB's are usually done from their own IP-address
while production traffic is either from the client-ip or the NATted
address, which is usually different from the address that the health
checks are sent from. But... this varies per LB-brand. If they
are different, you can filter on the ip-addresses. Please note
that you can use a filter like "!ip.addr==<ip-healtchchecks>"

> > Actually, this has been raised to 500 in the latest SVN source code 
> > tree.
> 
> Editcap does not have a feature to specify unwanted port from the
> command line argument. tcpdump has a option above. However -w option
> is different purpose. Anyway what is a good tool to include/exclude
> packets with specific conditions against already obtained snoop file ?

Exactly, editcap just takes frame-numbers or times as filters. But you
can use tshark for your purpose like this:

tshark -r <in-file> -w <out-file> -R "<display-filter of frames you want to keep>"

If you have a complex filter and you are using tshark from unix (or cygwin),
you could have the filter in a file and do:

tshark -r <in-file> -w <out-file> -R "`cat <filter-file>`"

Hope this helps,
Cheers,


Sake