Hi, I want to run a tcpdump capture for all diameter messages (port 3868). But I do not want the Watchdog request/response in the output pcap file. What kind of filter expression can I use ? Advice appreciated ; rgds asked 18 Aug '15, 10:05  karhong |
2 Answers:
This is the display filter after you finished capturing: (diameter) && !(diameter.cmd.code == 280) answered 18 Aug '15, 11:07  Amato_C |
HINT: If you remove single frames from a TCP stream, Wireshark will display error message, because it looks like packet loss, so please ignore error messages like ("TCP ACKed unseen segment" or similar), after you apply my capture filter!! BTW: There might be better, more elegant capture filters to achieve your goal, but I have no time to optimize anything. It works, so it's good enough for me ;-) Option #1: Remove frames that are not Watchdog Request/Answer frames.
However this will also remove (most) ACK frames, as they don't have any data at position tcp[36:4], so you will see TCP error messages in Wireshark if you open the resulting pcap file. Option #2: Remove frames that are not Watchdog Request/Answer frames, but also keep ACK frames.
However this will also keep the ACK frames for the removed Watchdog frames, so again: error messages in Wireshark about missing frames! Option #3: Remove everything without TCP payload and frames that are not Watchdog Request/Answer frames.
However this will also remove the ACK frames for the remaining diameter frames, so again: error messages in Wireshark! Regards answered 19 Aug '15, 13:48  Kurt Knochner ♦ |
Hi,
That is the display filter. What I am looking is the filtering out of diameter Watchdog request/responses during the capturing phase. I have taken a look at the manpage of 'pcap-filter'. Those filters have different syntax from the display filters.
Thanks in advance ; rgds.
You can use the above display filter, then export your capture file out using only the displayed packets (File - Export Specified Packets - Under Packet Range just make sure the displayed column is selected and all packets).
You would then have a capture file that only contains the diameter messages, but no watchdog requests and responses. If you are inspecting the capture live, it should only matter what is displayed and then later you are done and want to review it later the exported file would contain only the data you wanted.
Capture filters have a much more restricted view of the traffic, they're built for efficiency, and as such they don't understand the diameter protocol.
If the required values are always at the same offset in the capture you can use a capture offset filter using the slicing notation, e.g. tcp[x] = 280, where x is the offset of the diameter.cmd.code field.