According to the ebook, pg 245(reader)/pg 222(book), the paragraph right above "Writing Capture Filters", the author states that the PCAP library aka Capture Filter may not be as powerful as the Display Filter of Wireshark, resulting in the latter requires more execution time. My question: is Capture Filter (libpcap / Winpcap) capable of filtering data as deep as the SS7 application layer.. Thanks Regards, Eddie Choo asked 26 Jul '11, 03:17  eddie choo edited 26 Jul '11, 03:18 |
2 Answers:
Correct: libpcap does not currently have (capture) filters for SS7. It's not that it could not, but no one has implemented it. answered 26 Jul '11, 07:05  JeffMorriss ♦ 1 More accurately, it doesn't have capture filters for SS7 above MTP3. The pcap-filter man page needs to be updated to describe the MTP2 and MTP3 filters libpcap does implement. (26 Jul '11, 19:12) Guy Harris ♦♦ Doh! Silly me, looked at the documentation. (Actually I did try to look at the source, but couldn't figure it out enough to find anything... <sigh>) (27 Jul '11, 06:15) JeffMorriss ♦ |
Depending on your requirements you could work around those limitations. 1) You could extend the wireshark/tshark with lua and packet tap which would save packets that match certain filters into separate files 2) You could capture files with tcpdump/dumpcap pipe them them to tshark which can then apply -R "display_filter" option answered 26 Jul '11, 07:29  izopizo You could filter for SCTP if that's the transport protocol and/or IP/port combination(s) to limit the captured packets. (26 Jul '11, 21:35) Anders ♦ |
i just noticed this paragraph:
pg 223(book)/pg 246 (reader)
Since it is always assumed that the MTP3 layer is equivalent to the TCP/IP layer and the Link Layer is equivalent to the MTP 1-2 layers, i think the answer to my question is no?
Thanks
Yes. As per my response to Jeff Morriss's answer, there are libpcap filters for MTP2 and MTP3 - not currently documented, which is a libpcap bug - but not for anything above that layer.