This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture Filter with TZSP

0

Hi Wiresharkers!

I am streaming TZSP from my router to my wireshark server, the problem happens when I set the capture filter, it sees the src ip of the router only, I want to filter according to the host ip which is encapsulated within the TZSP packet.

any ideas please

Mike

asked 18 Nov '10, 14:28

Mike's gravatar image

Mike
1112
accept rate: 0%


One Answer:

0

I have no tracefile to work with, but I expect something like "udp[xx:4]==0xYYYYYY" would do the trick. Can you upload a sample capture somewhere (www.pcapr.net or www.cloudshark.org for example)?

UPDATE: I took a look at Wikipedia and I see that TSZP is using variable length fields before the encapsulated data. That makes the approach from above useless, unless every packet in your stream has the same TZSP header length.

answered 20 Nov '10, 03:49

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 20 Nov '10, 03:53

Can I filter based on some html code inside the original packet?

I found the following filter that captures packets with "get" html script:

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

it works, but when I apply the same for TZSP encapsolated packet it fails

Any ideas

Mike

(20 Nov '10, 04:20) Mike

I converted your "answer" to a comment to my answer, that more in line with the nature of this Q&A site.

Your filter works for unencapsulated packets. The TSZP adds a new IP and UDP header before the packets to forward them to the capturing host. This messes up the indices into the packets where the IP header or HTTP request method can be found.

We need to determine if all packets have the length for the uncapsulating header and if so, how many bytes we need to skip. Can you post a sample capture? Or mail it to me (address is on my user-profile)?

(20 Nov '10, 04:25) SYN-bit ♦♦