We have setup a wireshark monitoring server in our lab. We have used capture filter to filter traffic from specific ports. However there is a lot of SCTP heartbeat exchange between the nodes and this is causing overload on the server and the wireshark application is slowing down.
Is it possible to use capture filter on SCTP level to filter out SCTP heartbeat chhunks? Is this supported yet by the wireshark application? I tried to search this online but couldnt find any info on this.
asked 07 Aug '14, 13:24
Assuming that your SCTP stack does not send any other chunk types in the same IP packet as the heartbeat and acks, you can do that with a filter including a statement like 'not ip[x:1]=04 and not ip[x:1]=05', where "x" is the byte to start in out of the begining of the IP header of the packet. Basically, you're telling the capture filter to go "x" bytes into the packet and check to see if the next one byte (the chunk type byte in the SCTP header) is equal to 4 or 5 (heartbeat or acks).
I don't have a working example on hand at the moment but I've worked out a filter like that in the past with some success. I did run up against one (uncommon?) stack that was including other chunk types in heartbeats though so by filtering them you risk filtering data chunks also.
answered 07 Aug '14, 14:54
edited 07 Aug '14, 14:55