Hi, I am wondering if there is an easy way to split bundled packets into separate. For example, I have a file which looks like this : [IP][UDP][Header][Payload][Header2][Payloa2][Header3][Payload3][Header4][Payload4] So it is one IP packet which has 4 smaller packets bundled into one, on one row in wireshark. I would like to put each individual packet on a separate line. So that the file looks like this :
Is there a simple way of doing this? Using editcap, lua, some script etc? Very grateful for help. BR Harkap asked 10 Apr '13, 01:08  harkap edited 10 Apr '13, 01:08 showing 5 of 7 show 2 more comments |
2 Answers:
There is no (easy) way of doing that with wireshark as this is not how wireshark has been designed. The packet list is exactly that, it lists packets as they were seen on the network. However, with reassembly enabled, some data from packet X might be shown in packet Y as the payload had to be reassembled. There is no way to split a packet into multiple entries in the packet list. answered 10 Apr '13, 01:46  SYN-bit ♦♦ I think the OP is asking for dissectors for each payload in the packet. Depending on the protocol (and how much of the payload he/she wants dissected), that's relatively easy to do in C or Lua (Lua being simpler IMO). (10 Apr '13, 06:12) helloworld With "on one row in wireshark. I would like to put each individual packet on a separate line." I assumed the OP wants to have a new row in the packet list for each header/payload combo and not in the packet details (which as you say is very easy to implement). (10 Apr '13, 06:18) SYN-bit ♦♦ |
This filter will show all packets where:
BUT there is no guarantee that these fields are present in matching header/payload combinations.
Are you saying that there can be packets displayed where there is a header where field x3 has the value 4 but there is no payload in the packet that has a field y2 with the value 2 (or visa versa)? In that case there is indeed a bug in the filtering engine... But my bet is that it's just showing packets where bot fields are present with the selected values, but just not in corresponding header/payload pairs. Possible solutions: answered 11 Apr '13, 01:29 SYN-bit ♦♦ Hi, But my bet is that it's just showing packets where bot fields are present with the selected values, but just not in corresponding header/payload pairs. Correct. I will look int MATE to see if I find it possible. I looked at the script for SCTP, but unfortunately understand very little about it, and how to apply it to my situation. By using LUA, do you mean that I create a script in which the input commands are what I am searching for, and then it searches the file and displays the lines? Any suggestions of a clever high level way of implementing this would be highly appreciative. BR Harkap (11 Apr '13, 01:46) harkap (please use "add a comment" to respond to given answers, see the FAQ for details) By creating a LUA TAP, you can examine the packet in full detail within the script, but I have no experience doing so, so I can't draw a high level design for you nor can I indicate how much work it would be. As for the SCTP unbundle script, you would need to alter/add the following:
If you're unable to alter the script yourself or find someone to do it for you, you can contact me (address is in my user profile) on altering the script for you on a consultancy basis... (11 Apr '13, 02:05) SYN-bit ♦♦ Hi, As for the LUA tap. I found the example and am wondering how it can be modified, see comment below. I have found that the tap works well in choosing the right packets, that is, where the combination of header and payload is correct. -- simple_http.lua -- implements a very simple tap in Lua -- this is going to be our counter http_packets = 0 -- this is going to be our tap tap_http = nil -- first we declare the tap called "http tap" with the filter it is going to use tap_http = Listener.new(nil,"header.x1 == 2 && payload.y3 == 7") -- this function will get called at the end(3) of the capture to print the summary function tap_http.draw() debug("http packets:" .. http_packets) end -- this function is going to be called once each time the filter of the tap matches function tap_http.packet() -- Here I would like to print out the packet to a new pcap file, or new window or perhaps just the line (packet number ) where this packet can be found -- end -- this function will be called at the end of the capture run function tap_http.reset() http_packets = 0 end Any Ideas? Thank you /Harkap (16 Apr '13, 00:48) harkap |
What exactly do you mean by that? What kind of wireshark output do mean? GUI, text? How did you generate that output?
Hi,
What exactly do you mean by that?
One line in the wireshark packet list pane : http://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketListPaneSection.html
What kind of wireshark output do mean?
Save it as another .pcap file.
How did you generate that output?
What output do you mean? I have an .pcap file where I have captured packets.
With "on one row in wireshark. I would like to put each individual packet on a separate line." I assumed the OP wants to have a new row in the packet list for each header/payload combo and not in the packet details
Exactly
The background to this problem is that it is difficult to find an packet, that is an Header + Payload combination, that fulfills certain criteria (one field in the header = x and another field in the payload = y) When I put on this filter (header.1 = x && payload.3 = y) wireshark gives me all the rows (lines) in the packet list where one packet has either header.1 = x or payload.3 = y. In this way it is very hard to find the specific packets that I am looking for.
Thats why I thought that splitting the bundled packets into smaller packets on each row would make this search work good.
Thanks so far.
BR Harkap
That seems like a display-filter problem to me. What is the exact protocol you're working with? and what is the filter you're trying? Can you post a sample pcap on http://cloudshark.org (and link it here)?
Hi,
What is the exact protocol you're working with? and what is the filter you're trying?
Unfortunately I cannot paste it here since it is work related data. But the appearence is similar. An Header with three data variables all one byte each x1, x2, x3. And Payload part has 5 data variables y1 3 bits y2 2 bits y3 3 bits y4 4 bits y5 4 bits. The filter I am using is (header.x3 == 4 && payload.y2 == 2)
And, as mentioned, this expression displays all the rows in which at least one of the packets in the bundle has either header.x3 = 4 or payload.y2 = 2.
BR Harkap
It could be a bug in your dissector -- particularly, in the way you're adding the fields (e.g., the bitmask or byte offset is wrong). Can you show the line of code from your dissector that adds the
header.x3andpayload.y2fields?Hi,
Can you show the line of code from your dissector that adds the header.x3 and payload.y2 fields?
This is not my dissector, its a built in dissector, somewhat changed for company modification. I am rather certain that it is no bug since the packet is a bundled packet, it is supposed to show all packets in the bundle on one line.
But perhaps you mean that something in the dissector implementation makes the filtering not work correctly?
BR Harkap
Right, that's what I meant. Which built-in dissector is it? We might be able to craft our own packet to troubleshoot this.