Search This Blog

Monday, November 24, 2014

Packet capture byte level filter



Here in this post i will explain how to filter capture based on byte level, as an example i will use EIGRP packets.

To filter capture based on EIGRP packets using Wireshark expression filter:

eigrp.opcode == 1

This will display only EIGRP updates, you can change the value to 2 (Request), 3 (Query), 4 (Replay) or 5 (Hello).

Filter capture based on byte offset - 

Choose an EIGRP update packet and mark the opcode field (1):


When you mark the field on the packet detail pane, a field on the packet byte pane is also marked (2), now note that the byte 01 is found on a grey area which represent the EIGRP payload, this payload starts on byte 02, so to capture all EIGRP packets which in the second field there is a byte with value 01 we will use the following string:

eigrp[01:1]==01

Syntax: <PROTOCOL>[<START_FIELD>:<NUMBER_OF_BYTES_TO_COUNT>]<OPERATOR><VALUE>

PROTOCOL - the protocol we are filtering – it can be IP, EIGRP, OSPF, GRE whatever
START_FIELD - indicate the number of the field we are looking on that given protocol
NUMBER_OF_BYTES - number of bytes to count, in my example I used 1 so only one byte after the first byte.
OPERATOR - can be any given one – equal, not, large or less, equal, contain etc.

Here is another example which filters EIGRP packets with a value 002f on the 11th and 12th bytes field:
 
eigrp[10:2]==002f


 This method works on tcpdump and wireshark both on display and capture filters and can be used to capture any given packet with specific byte value.

No comments:

Post a Comment