This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I am wondering if there is an easy way to split bundled packets into separate. For example, I have a file which looks like this :

[IP][UDP][Header][Payload][Header2][Payloa2][Header3][Payload3][Header4][Payload4]

So it is one IP packet which has 4 smaller packets bundled into one, on one row in wireshark. I would like to put each individual packet on a separate line. So that the file looks like this :

  • [IP][UDP][Header][Payload]
  • [Header2][Payloa2]
  • [Header3][Payload3]
  • [Header4][Payload4]

Is there a simple way of doing this? Using editcap, lua, some script etc?

Very grateful for help.

BR Harkap

asked 10 Apr '13, 01:08

harkap's gravatar image

harkap
58811
accept rate: 0%

edited 10 Apr '13, 01:08

on one row in wireshark I would like to put each individual packet on a separate line.

What exactly do you mean by that? What kind of wireshark output do mean? GUI, text? How did you generate that output?

(10 Apr '13, 06:16) Kurt Knochner ♦

Hi,

What exactly do you mean by that?

One line in the wireshark packet list pane : http://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketListPaneSection.html

What kind of wireshark output do mean?

Save it as another .pcap file.

How did you generate that output?

What output do you mean? I have an .pcap file where I have captured packets.

With "on one row in wireshark. I would like to put each individual packet on a separate line." I assumed the OP wants to have a new row in the packet list for each header/payload combo and not in the packet details

Exactly

The background to this problem is that it is difficult to find an packet, that is an Header + Payload combination, that fulfills certain criteria (one field in the header = x and another field in the payload = y) When I put on this filter (header.1 = x && payload.3 = y) wireshark gives me all the rows (lines) in the packet list where one packet has either header.1 = x or payload.3 = y. In this way it is very hard to find the specific packets that I am looking for.

Thats why I thought that splitting the bundled packets into smaller packets on each row would make this search work good.

Thanks so far.

BR Harkap

(10 Apr '13, 07:42) harkap

That seems like a display-filter problem to me. What is the exact protocol you're working with? and what is the filter you're trying? Can you post a sample pcap on http://cloudshark.org (and link it here)?

(10 Apr '13, 08:48) helloworld

Hi,

What is the exact protocol you're working with? and what is the filter you're trying?

Unfortunately I cannot paste it here since it is work related data. But the appearence is similar. An Header with three data variables all one byte each x1, x2, x3. And Payload part has 5 data variables y1 3 bits y2 2 bits y3 3 bits y4 4 bits y5 4 bits. The filter I am using is (header.x3 == 4 && payload.y2 == 2)

And, as mentioned, this expression displays all the rows in which at least one of the packets in the bundle has either header.x3 = 4 or payload.y2 = 2.

BR Harkap

(10 Apr '13, 09:02) harkap

It could be a bug in your dissector -- particularly, in the way you're adding the fields (e.g., the bitmask or byte offset is wrong). Can you show the line of code from your dissector that adds the header.x3 and payload.y2 fields?

(10 Apr '13, 10:16) helloworld

Hi,

Can you show the line of code from your dissector that adds the header.x3 and payload.y2 fields?

This is not my dissector, its a built in dissector, somewhat changed for company modification. I am rather certain that it is no bug since the packet is a bundled packet, it is supposed to show all packets in the bundle on one line.

But perhaps you mean that something in the dissector implementation makes the filtering not work correctly?

BR Harkap

(10 Apr '13, 23:12) harkap

Right, that's what I meant. Which built-in dissector is it? We might be able to craft our own packet to troubleshoot this.

(11 Apr '13, 06:35) helloworld
showing 5 of 7 show 2 more comments

There is no (easy) way of doing that with wireshark as this is not how wireshark has been designed. The packet list is exactly that, it lists packets as they were seen on the network. However, with reassembly enabled, some data from packet X might be shown in packet Y as the payload had to be reassembled.

There is no way to split a packet into multiple entries in the packet list.

permanent link

answered 10 Apr '13, 01:46

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I think the OP is asking for dissectors for each payload in the packet. Depending on the protocol (and how much of the payload he/she wants dissected), that's relatively easy to do in C or Lua (Lua being simpler IMO).

(10 Apr '13, 06:12) helloworld

With "on one row in wireshark. I would like to put each individual packet on a separate line." I assumed the OP wants to have a new row in the packet list for each header/payload combo and not in the packet details (which as you say is very easy to implement).

(10 Apr '13, 06:18) SYN-bit ♦♦

An Header with three data variables all one byte each x1, x2, x3. And Payload part has 5 data variables y1 3 bits y2 2 bits y3 3 bits y4 4 bits y5 4 bits. The filter I am using is (header.x3 == 4 && payload.y2 == 2)

This filter will show all packets where:

  • there is at least one header with an x3 field that has the value 4 AND
  • there is at least one payload with an y2 field that has the value 2

BUT there is no guarantee that these fields are present in matching header/payload combinations.

And, as mentioned, this expression displays all the rows in which at least one of the packets in the bundle has either header.x3 = 4 or payload.y2 = 2

Are you saying that there can be packets displayed where there is a header where field x3 has the value 4 but there is no payload in the packet that has a field y2 with the value 2 (or visa versa)? In that case there is indeed a bug in the filtering engine...

But my bet is that it's just showing packets where bot fields are present with the selected values, but just not in corresponding header/payload pairs.

Possible solutions:

  • use MATE (but I'm not 100% sure it can do the trick)
  • Write a LUA tap to process your packets and do the matching
  • Use a script to create dummy packets for each header/payload combination as is done here for SCTP (you already found that question yourself)
permanent link

answered 11 Apr '13, 01:29

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hi,

But my bet is that it's just showing packets where bot fields are present with the selected values, but just not in corresponding header/payload pairs.

Correct.

I will look int MATE to see if I find it possible. I looked at the script for SCTP, but unfortunately understand very little about it, and how to apply it to my situation. By using LUA, do you mean that I create a script in which the input commands are what I am searching for, and then it searches the file and displays the lines?

Any suggestions of a clever high level way of implementing this would be highly appreciative.

BR Harkap

(11 Apr '13, 01:46) harkap

(please use "add a comment" to respond to given answers, see the FAQ for details)

By creating a LUA TAP, you can examine the packet in full detail within the script, but I have no experience doing so, so I can't draw a high level design for you nor can I indicate how much work it would be.

As for the SCTP unbundle script, you would need to alter/add the following:

  • Alter parse_ip to look for udp data for your protocol and then call...
  • parse_udp routine to parse the UDP headers
  • parse_your_proto routine, this routine needs to detect where the bounderies are between the header/payload instances and then call put_pkt to write a packet for each header/payload combination
  • put_pkt needs to be altered so it knows how to write proper packets for your protocol (it is now focused on writing SCTP packets

If you're unable to alter the script yourself or find someone to do it for you, you can contact me (address is in my user profile) on altering the script for you on a consultancy basis...

(11 Apr '13, 02:05) SYN-bit ♦♦

Hi,

As for the LUA tap. I found the example and am wondering how it can be modified, see comment below. I have found that the tap works well in choosing the right packets, that is, where the combination of header and payload is correct.

-- simple_http.lua -- implements a very simple tap in Lua

-- this is going to be our counter

http_packets = 0

-- this is going to be our tap

tap_http = nil

-- first we declare the tap called "http tap" with the filter it is going to use

tap_http = Listener.new(nil,"header.x1 == 2 && payload.y3 == 7")

-- this function will get called at the end(3) of the capture to print the summary

function tap_http.draw() debug("http packets:" .. http_packets) end

-- this function is going to be called once each time the filter of the tap matches

function tap_http.packet() -- Here I would like to print out the packet to a new pcap file, or new window or perhaps just the line (packet number ) where this packet can be found -- end

-- this function will be called at the end of the capture run

function tap_http.reset() http_packets = 0 end

Any Ideas?

Thank you /Harkap

(16 Apr '13, 00:48) harkap
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×431
×33
×31
×8
×4

question asked: 10 Apr '13, 01:08

question was seen: 6,916 times

last updated: 16 Apr '13, 01:40

p​o​w​e​r​e​d by O​S​Q​A