This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am trying to use tshark to capture all udp packets that do not contain 0xFFFFFFFF or 0xD5D5D5. The capture filter I have defined is as follows:tshark -i eth0 -f "udp and udp[17:4] != 0xFFFFFFFF and udp[17:4] != 0xDBDBDBDB" The bytes I do not want to capture have either 0xFF or 0xDB from byte number 17 to 80, all the udp packets have 80 bytes in the data payload. With tshark running all packets are being captured with no filtering happening. Using wireshark and the following display filter: udp and not (frame contains 0xFFFFFFFF or frame contains 0xDBDBDBDB) successfully removes all packets not meeting the specified criteria.

Can anyone work out where (if anywhere) I have gone wrong with the capture filter?

asked 15 Feb '15, 11:11

time2innov8's gravatar image

time2innov8
6335
accept rate: 0%


Display filter and capture filter are two different filter systems. Capture filters are optimized for high speed filtering while capturing frames, while display filters can filter on much more complicated things. Display filters are not time critical, so it doesn't matter how complex the filtering process is.

"frame contains" searches for the pattern in the whole frame. Your tshark filter basically requires that certain patterns do not appear at the offsets you specify, which is much more specific - the pattern must be at a very specific position or the filter won't apply.

permanent link

answered 15 Feb '15, 11:48

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

The packets transmitted that are to be discarded have the required bytes in the specified positions. The only error may be in the slicing [17:4] however I am using a modifed version from one listed in the tshark documentation so don't think that's the issue. Can anyone confirm that the syntax of the supplied capture and display filters are performing the same function?

(15 Feb '15, 12:21) time2innov8
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×184
×2

question asked: 15 Feb '15, 11:11

question was seen: 2,477 times

last updated: 15 Feb '15, 12:21

p​o​w​e​r​e​d by O​S​Q​A