Wireshark · Wireshark-users: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ?

[Sake Blok <sake@xxxxxxxxxx>]

On Thu, Jun 28, 2007 at 05:54:01PM +0900, Mitsuho Iizuka wrote:
> > 
> > Ummm ...I'm fool...
> > Yes, Those are only 4 IPs. I will do it.
> 
> No! No! All the packets to the LDAP server come from LB including
> helth check packets.
> 
> LB substitutes all the incoming MAC addresses as well. Does anyone
> know awk/grep like editcap tool to accept a complex script ?

How'bout the following (complex) oneliner to delete all tcp sessions
which are http healthchecks on port 8081 :

tshark -r trace.cap -w filtered.cap -R `tshark -r trace.cap -d "tcp.port==8081,http" -T fields -e tcp.srcport 'http.request.uri == "/MSecManagement/healthcheck"' | awk 'BEGIN {sep="";printf("!(")} {printf("%stcp.port==%s",sep,$1);sep="||"} END {printf(")")}'`

OK, in parts:

tshark -r trace.cap -d "tcp.port==8081,http" -T fields -e tcp.srcport 'http.request.uri == "/MSecManagement/healthcheck"'

Read file trace.cap and decode port 8081 as HTTP. Print only field
tcp.srcport (option new in v0.99.6) for http-packets with Request URI
"/MSecManagement/healthcheck". This gives you something like:

port1
port2
....


| awk 'BEGIN {sep="";printf("!(")} {printf("%stcp.port==%s",sep,$1);sep="||"} END {printf(")")}'`

Take the previous list of port numbers and transform it into a display
filter with the form: "!(tcp.port==<port1>||tcp.port==<port2>||....)"


tshark -r trace.cap -w filtered.cap -R `<previous commands>`

Use the filter that was created by "tshark|awk" and use it as a read
filter on "trace.cap". Write the packets that match the filter to the
file "filtered.cap".


So basically this command goes through the trace twice, once to build 
a filter, the second time to use that filter to select only the needed
packets from the input file and save them to the output file.

You should be able to do something simular to your LDAP traffic :-)

Cheers,


Sake