Hi Wiresharkers! I am streaming TZSP from my router to my wireshark server, the problem happens when I set the capture filter, it sees the src ip of the router only, I want to filter according to the host ip which is encapsulated within the TZSP packet. any ideas please Mike asked 18 Nov '10, 14:28  Mike |
One Answer:
I have no tracefile to work with, but I expect something like UPDATE: I took a look at Wikipedia and I see that TSZP is using variable length fields before the encapsulated data. That makes the approach from above useless, unless every packet in your stream has the same TZSP header length. answered 20 Nov '10, 03:49  SYN-bit ♦♦ edited 20 Nov '10, 03:53 |
Can I filter based on some html code inside the original packet?
I found the following filter that captures packets with "get" html script:
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
it works, but when I apply the same for TZSP encapsolated packet it fails
Any ideas
Mike
I converted your "answer" to a comment to my answer, that more in line with the nature of this Q&A site.
Your filter works for unencapsulated packets. The TSZP adds a new IP and UDP header before the packets to forward them to the capturing host. This messes up the indices into the packets where the IP header or HTTP request method can be found.
We need to determine if all packets have the length for the uncapsulating header and if so, how many bytes we need to skip. Can you post a sample capture? Or mail it to me (address is on my user-profile)?