This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

GIOP filter - tshark

0

Hi,

im trying to filter all GIOP packets with a filter parameter. I know it works in wireshark by just typing "giop" in the filter - but it wont work when i use it as a parameter?

tshark -i eth0 -f "´ip --.--.--.-- proto giop´" -w /---/---/---/file.log - wont work...

I cant figure out the right syntax for this filter. Can anyone help here?

Thanks!

asked 12 Jul '12, 00:02

DarkChaosRabbit's gravatar image

DarkChaosRabbit
1112
accept rate: 0%


2 Answers:

0

The -f flag is used to specify a capture filter (in BPF syntax). I don't know what the capture filter would be for GIOP. Perhaps you meant to use a display filter (with the -R flag), which in your case would be:

tshark -i eth0 -R "ip.addr==1.2.3.4 and giop" -w /path/to/file.log

answered 12 Jul '12, 00:44

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

0

As HelloWorld mentioned, the "-f" is used for a BPF capture filter. Capture filters are much more limited in how they filter as they need to be as fast as possible to not drop packets while captureing due to filter processing overhead.

From the Wireshark Wiki:

Display Filter

A complete list of GIOP display filter fields can be found in the display filter reference

Show only the GIOP based traffic:  giop

Capture Filter

You cannot directly filter GIOP protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

So if you know your GIOP traffic runs on tcp port 2107, you can use the command:

tshark -i eth0 -s0 -w giop.pcap -f "host x.x.x.x and tcp port 2107"

answered 12 Jul ‘12, 03:18

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hello,

thanks for the explanation and the answers.

But neither of them worked :/

tshark -i eth0 -s0 -w giop.pcap -f “host x.x.x.x and tcp port 2107

its slightly wrong isn’t it? “-w” is for writing in a file so i changed it to “-R”. But the mainproblem is:

Helloworlds answer produces an Error “ip.addr==XX.XXX.X.XX: command not found”

Thats the syntax? “ip.addr==1.2.3.4 and giop” - like `+"+command…

If i try with “-R giop.pcap” its also a “command not found”

(12 Jul ‘12, 04:44) DarkChaosRabbit

@DarkChaosRabbit, Can you post the exact commands you’re entering and the resulting output? And fyi, -R specifies a display filter, as already mentioned. To read giop.pcap, use -r giop.pcap.

(12 Jul ‘12, 05:01) helloworld

Could you also explain what you try to do a bit more, because I think I am interpreting your question in a different way than the way you meant it.

My interpretation of your question:

I used wireshark and used a filter to only display giop traffic and now I want to use tshark on the CLI to capture only giop traffic from one particular host and save it to a file named /—/—/—/file.log

(12 Jul ‘12, 05:06) SYN-bit ♦♦

I Will explain what i needed it for.

As a result, just as SYN-bit thought, i want a file with all the GIOP traffic between 2 specific hosts.

Now i tried and tried and i think i got a solution.

Like you said, it is not possible to filter giop while capturing. So i create a file with

"tshark -i eth1 -f “src host XX.XX.XX.XXX or dst host XX.XX.XX.XXY” -w /file/path/.."

after i got the file with only the packages of these two hosts:

"tshark -R “ip.src==XX.XX.XX.XXX or ip.srcXX.XX.XX.XXY and giop” -r /file/path/.."

i know i could just use “giop” in the second statement but just in case …

Its as simple as that. But there were a few errors i just didn’t understand because i dont work frequently with wireshark…

Thanks a lot! (I could say sorry for my english - but i cant do better - so that would be pointless ;) )

(12 Jul ‘12, 05:38) DarkChaosRabbit