I'm looking to capture packets that match only have syslog info matching the filter "successful". Because of the number of packets coming to the device, I'm not looking for a display filter but a CAPTURE FILTER. I have the first part easy as "port syslog" but must missing the last part. In the display filter I would use "syslog.msg contains "successful" but of course this will not work in the capture filter. Any ideas would be helpful and thanks. asked 27 Dec '12, 12:39  sonicpepsi |
2 Answers:
You probably can't do what you want. Capture filters are much simpler than display filters and simply don't have the same functionality. There is no capture filter equivalent to "syslog.msg contains". IF the string "successful" always appeared in exactly the same place in a frame, you could use byte offset filters to look for it, but my reading of RFC 5424, "The Syslog Protocol," is that syslog packets contain a number of variable length fields, and therefore subsequent fields won't always occur in exactly the same position within the frame. answered 27 Dec '12, 13:06  Jim Aragon |
You can't do that with tcpdump or Wireshark, however ngrep would work that way.
call it like this:
At a high packet rate, you may miss some packets, due to overload issues. Regards answered 27 Dec '12, 14:36  Kurt Knochner ♦ edited 27 Dec '12, 14:40 |
That's what I was thinking but didn't want to miss out in the event there was something I didn't see. Thanks for the response.