This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

According to the ebook, pg 245(reader)/pg 222(book), the paragraph right above "Writing Capture Filters", the author states that the PCAP library aka Capture Filter may not be as powerful as the Display Filter of Wireshark, resulting in the latter requires more execution time.

My question: is Capture Filter (libpcap / Winpcap) capable of filtering data as deep as the SS7 application layer..

Thanks

Regards,

Eddie Choo

asked 26 Jul '11, 03:17

eddie%20choo's gravatar image

eddie choo
6691715
accept rate: 66%

edited 26 Jul '11, 03:18

i just noticed this paragraph:

While tcpdump can decode protocols, it cannot directly address many of them.The keywords defined in the tcpdump filter language are oriented toward Link layer (layer 2) and Transmission Control Protocol/Internet Protocol (TCP/IP) filtering.

pg 223(book)/pg 246 (reader)

Since it is always assumed that the MTP3 layer is equivalent to the TCP/IP layer and the Link Layer is equivalent to the MTP 1-2 layers, i think the answer to my question is no?

Thanks

(26 Jul '11, 03:24) eddie choo
1

Yes. As per my response to Jeff Morriss's answer, there are libpcap filters for MTP2 and MTP3 - not currently documented, which is a libpcap bug - but not for anything above that layer.

(26 Jul '11, 19:13) Guy Harris ♦♦

Correct: libpcap does not currently have (capture) filters for SS7. It's not that it could not, but no one has implemented it.

permanent link

answered 26 Jul '11, 07:05

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

1

More accurately, it doesn't have capture filters for SS7 above MTP3. The pcap-filter man page needs to be updated to describe the MTP2 and MTP3 filters libpcap does implement.

(26 Jul '11, 19:12) Guy Harris ♦♦

Doh! Silly me, looked at the documentation. (Actually I did try to look at the source, but couldn't figure it out enough to find anything... <sigh>)

(27 Jul '11, 06:15) JeffMorriss ♦

Depending on your requirements you could work around those limitations.

1) You could extend the wireshark/tshark with lua and packet tap which would save packets that match certain filters into separate files

2) You could capture files with tcpdump/dumpcap pipe them them to tshark which can then apply -R "display_filter" option

permanent link

answered 26 Jul '11, 07:29

izopizo's gravatar image

izopizo
2024714
accept rate: 0%

You could filter for SCTP if that's the transport protocol and/or IP/port combination(s) to limit the captured packets.

(26 Jul '11, 21:35) Anders ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×184
×165

question asked: 26 Jul '11, 03:17

question was seen: 4,452 times

last updated: 27 Jul '11, 06:15

p​o​w​e​r​e​d by O​S​Q​A