This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to do capture filter for IPv6 GTP encapsulated packets?

0

Hi,

is there a way to do capture filter for IPv6 on GTP encapsulated packets?

(ip[64:16]==0x2a008a00200000350000000000000011) or (ip6[64:16]==0x2a008a00200000350000000000000011)

I tried both, don't seem to work.

Thanks! Joseph

asked 03 Mar '16, 06:54

joseph75074's gravatar image

joseph75074
6224
accept rate: 0%

edited 04 Mar '16, 09:46


One Answer:

0

From the pcap-filter man page, you can only specify sizes of 1, 2, or 4.

proto [ expr : size ]

Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one.

The relop is wrong too; you should be using =, not ==, at least according to the man page.

expr relop expr
True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of …

So, assuming the packet is IPv4-encapsulated, you probably need something like:

ip[64:4]=0x2a008a00 and ip[68:4]=0x20000035 and ip[72:4]=0x00000000 and ip[76:4]=0x00000011

answered 03 Mar ‘16, 09:13

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 03 Mar ‘16, 09:14

Hi, cmaynard:

Thanks for your reply! I tried with ‘=’, still not working, this is for IPv6 GTP encapsulated packets.

(03 Mar ‘16, 11:22) joseph75074

Maybe you could post a small capture file then? A single packet should suffice to get an idea of what the traffic looks like exactly.

(03 Mar ‘16, 11:44) cmaynard ♦♦

Sorry I am new to this website, how do I upload a pcap file? seems like .pcapng type is not allowed in the edit page.

(04 Mar ‘16, 07:17) joseph75074

Post the capture somewhere publicly accessible, e.g. Google Drive, Dropbox etc. and then edit your question with a link to the file.

(04 Mar ‘16, 07:20) grahamb ♦
1

Another possibility, since we probably only need to look at a single packet to determine the correct offsets (which is where I suspect the problem lies), you could also just convert a single packet to text using Wireshark’s File -> Export Packet Dissections -> as “Plain Text” file… mechanism.

Choose only the Selected Packet, then deselect everything under the Packet Format section except DO select Packet Bytes. You can then just edit your question or add a comment with the resulting text output that represent the bytes of the packet.

It ought to be possible to determine the correct offsets and data needed from the text alone and the packet can always be reconstructed using text2pcap, if needed.

(04 Mar ‘16, 09:08) cmaynard ♦♦
1

EDIT: I’m not sure why the previous comment was deleted, but the posted text essentially showed the following stack:

Ethernet (14 bytes)
802.1Q   (4 bytes)
IPv6     (40 bytes)
UDP      (8 bytes)
GTP      (8 bytes)
IPv6     (40 bytes)
DNS      ("who cares" bytes)

Well, that wasn’t the format I was looking for, but it’s probably enough to answer the question. You’ve got a vlan tag with outer IPv6 and your desired filter has changed, so try this instead:

vlan and ip6[64:4]=0x20030490 and ip6[68:4]=0xcff200d9 and ip6[72:4]=0x00000000 and ip6[76:4]=0x00563f01

I think the important piece you were missing was the vlan primitive. From the pcap-filter man page:

vlan [vlan_id]
True if the packet is an IEEE 802.1Q VLAN packet. If [vlan_id] is specified, only true if the packet has the specified vlan_id. Note that the first vlan keyword encountered in expression changes the decoding offsets for the remainder of expression on the assumption that the packet is a VLAN packet. The vlan [vlan_id] expression may be used more than once, to filter on VLAN hierarchies. Each use of that expression increments the filter offsets by 4.
(04 Mar ‘16, 10:11) cmaynard ♦♦

Thanks! Cmaynard. This works! I was able to capture for those packets with that header size. But my problem is that I have other GTP SIP messages that have different header sizes, and I was not able to capture all of them related to the IPv6 address, is there an easy way to capture based on GTP IPv6 address, irregardless of the header sizes?

(04 Mar ‘16, 12:58) joseph75074

It might be possible. If there are only a few different fixed-sized headers, then you might simply or them all together.

For example, suppose you have some headers such that the inner-IPv6 address starts at offset 64 from the outer-IPv6 header but others start at offset 80, then you might do something like so:

vlan and (ip6[64:4]=0x20030490 and ip6[68:4]=0xcff200d9 and ip6[72:4]=0x00000000 and ip6[76:4]=0x00563f01) or (ip6[80:4]=0x20030490 and ip6[84:4]=0xcff200d9 and ip6[88:4]=0x00000000 and ip6[92:4]=0x00563f01)

If there are too many different offsets, then it might be possible to dynamically find the offset for the given packet, but this really depends on your traffic, so you’d really need to post a capture file somewhere to see if it would be possible. Graham mentioned above some places where you can upload a capture file.

(04 Mar ‘16, 13:12) cmaynard ♦♦
showing 5 of 8 show 3 more comments