This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Including packets from a conversation not matching the filter

0

I am trying to determine the amount of data received and transmitted back to a remote telematic device that communicates over GPRS on port TCP X to find out if my wireless carrier is overcharging me. The trick is that the server receives data on that same port from several units.

Capture filter: tcp port X Display filter: tcp contains "6033," and (tcp contains ",1710," or tcp contains ",121017,")

6033 is the unique identifier for the device I want to get information from, and 1710 or 121017 is the date I'm interested in the two different possible formats included in the TCP stream.

I'm missing some TCP packets that don't have the string '6033' in them, however they are part of the same TCP stream/conversation and should be included in my filtered results.

How can I include in my results the missing packets that are part of the TCP stream/conversation BUT don't contain the unique identifier in it?

i.e. $G6033,1710,232239,5319.4470,N,00627.4218,W,000 1710,232324,5319.4372,N,00627.4342,W,000 1710,232739,5319.4328,N,00627.4310,W,000 1710,232824,5319.4328,N,00627.4310,W,000 1710,233239,5319.4312,N,00627.4129,W,000 1710,233324,5319.4312,N,00627.4129,W,000 1710,233739,5319.4394,N,00627.4296,W,000

--------- Packet divider (missing from this point on)---------
1710,233824,5319.4243,N,00627.4141,W,000 1710,234239,5319.4326,N,00627.4288,W,000 1710,234324,5319.4326,N,00627.4288,W,000*94
---------- Packet divider (missing until this point)----------

$A6033,232239,121017,234408*D9

asked 19 Oct '12, 15:56

juanclau's gravatar image

juanclau
1111
accept rate: 0%

2 Answers:

1

As far as I understand this, each unit connects to your server with it's own tcp communication. The "trick" of using always the same port on the server is not really a trick, it is what every server does today (for example the web server of this Q&A page runs on port 80 and takes lots of connections on it). Did you try filtering on the client IP and port instead (meaning the TCP port that the remote device uses)? It is standard filtering operation to isolate TCP flows by filtering on it's socket pairs, or on the unique flow number assigned to each flow by Wireshark.

So what you'd need to do is:

  1. filter on the packets that contain the string you're looking for
  2. use the conversation statistics (found in the statistics menu) to see which communications are left. Use the "limit to display filter" checkbox to force it to only show filtered out packets, and go to the TCP tab.
  3. filter on each conversation that you see by filtering on it's socket pairs. You can do that from the conversations list by using the popup menu going "apply as filter -> selected -> A <-> B".
  4. repeat

You can automate this by using command line scripts with tshark.exe instead, but that might be a bit too complicated for starters.

answered 20 Oct '12, 07:49

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks for the quick reply and the help provided.

When I said "the trick" I referred to the fact that I needed to separate the traffic from different sources, not that traffic was on the same port.

Unfortunately these are mobile devices that can change their IPs quite often (several times per day), simply using IP filtering is not really the right way to go.

When I do your suggested solution I get 4 conversations with 4 different IPs. Can I assume the device changed IPs 4 times and the total sum of the 'bytes' column is the amount of data transfer between the server and the mobile device?

(24 Oct '12, 16:56) juanclau

0

I'm missing some TCP packets that don't have the string '6033' in them, however they are part of the same TCP stream/conversation and should be included in my filtered results.

O.K. so, you can't use a capture filter. Instead I suggest to record the whole communication and later filter it with a display filter. To automate the process on Windows, you can use Powershell.

Start powershell and enter these commands (without the 'PS >'). input.cap is the capture file containing the whole communication.

PS > $display_filter =""; tshark -r input.pcap -R "tcp contains 6033 or tcp contains 1710 or tcp contains 121017" -T fields -e tcp.stream | sort-object | get-unique | foreach { $display_filter += "tcp.stream eq $_ or "}; $display_filter = $display_filter -replace "...$" ; write-host "starting Wireshark with filter: $display_filter" ; wireshark -r input.pcap -R $display_filter

Output should look similar to this:

starting Wireshark with filter: tcp.stream eq 13 or tcp.stream eq 14 or tcp.stream eq 9

Wireshark will start with the given display filter and you will see only those streams that contain the search strings.

If you want to do the same on Unix:

[email protected]:# tshark -r input.pcap -R "tcp contains 6033 or tcp contains 1710 or tcp contains 121017" -T fields -e tcp.stream | sort -u | awk '{filter = sprintf("tcp.stream eq %s or %s",$0,filter)}; END {filter=substr(filter,0,length(filter)-3); print filter; system("wireshark -r input.pcap -R \"" filter "\"")}'

Regards
Kurt

answered 21 Oct '12, 04:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Oct '12, 04:27

Kurt,

Thanks for your answer. Can you explain to me what the command does in a little more detail?

Also, correct me if I'm wrong but I believe the filter in the command should be: "tcp contains 6033 and (tcp contains 1710 or tcp contains 121017)"

I can't simply use "tcp contains 6033 or tcp contains 1710 or tcp contains 121017" since that would capture other devices with the same date stamps but a different SID (6033).

(24 Oct '12, 17:24) juanclau