Dear Team, We have Linux OS installed on one of our nodes (which has SS7 stack) now if we want to filter packets which are submit towards network we use below command to do. tcpdump -ni any sctp s0 -w filename.pcap Now above command captures the all packets of ss7 layer, is it possible to prepare a filter on command line itself like ((gsm_sms.tp-mti == 0) && (gsm_map.imsi_digits == "404971026311824")) we do filtering in wireshark OR what type of filtering options are there. Or can wireshark itself be helpful do so, because i tried using Interface remote but its not possible as server/node does have direct connectivity its via a different server. asked 06 Aug '12, 23:14  creative |
One Answer:
tcpdump only supports capture filters, not Wireshark's (far richer) display filters. As such, you can't filter for things like gsm_sms.tp-mti with tcpdump. With capture filters you're limited to the things that libpcap understands. See the manual page of pcap-filter(7) or, if that doesn't exist, tcpdump(8), or, if that doesn't exist, http://wiki.wireshark.org/CaptureFilters . answered 07 Aug '12, 07:51  JeffMorriss ♦ |
...and Wireshark's capture filters are the same as tcpdump's capture filters, with the same limitations.
Thanks Jeff for your answer.
@Harris...what ? How Wireshark filters are same as tcpdump filters ???
There are two kinds of "Wireshark filters" - capture filters, which are what are specified when you start a capture, and "display filters" (which can also be used, for example, for colorizing packets), which are specified when you have a capture. Wireshark capture filters are implemented by libpcap/WinPcap, just as tcpdump's filters are, so they're exactly the same as tcpdump filters. Wireshark display filters are implemented by Wireshark, and are much more capable than capture filters.
Thanks Harris :)