0

I am using pcap4j for reading packets in Java. I want to generate an alert on receiving a packet with abort. For now I am unable to apply a filter for abort. I have attached code below.

    PcapHandle handle;
    Pcap pcap;
    handle = 

  Pcaps.openOffline("D://nm_postpaid_testing.pcap",TimestampPrecision.NANO);

    //handle.setFilter("tcap.reason == 11", BpfCompileMode.OPTIMIZE);
    System.out.println("Starting output: ");

    PcapPacket packet = null;


    String filter = "pcap abort 11";
    handle.setFilter(filter, BpfCompileMode.OPTIMIZE);
    PacketListener listener = new PacketListener() {
        @Override
        public void gotPacket(PcapPacket pp) {

            System.out.println("/////////////START////////////////");
            System.out.println(Arrays.toString(pp.getRawData()));

            SctpDecoder sctpDecoder = new SctpDecoder();

            //sctpDecoder.decode(pp.getRawData(), "IP", "*", true, "DECODE:TCAP");

            System.out.println("///////////////END//////////////\n");

        }
    };

    handle.loop(4, listener);

enter image description here

  • I think the text you are using for your filter, "pcap abort 11", is invalid. If I'm not mistaking, this page describes the allowed syntax: https://www.tcpdump.org/manpages/pcap-filter.7.html – selalerer Sep 16 '19 at 10:44

3 Answers3

0

Invalid Capture Filter

The capture filter pcap abort 11 is not valid (line 13). You can test this with dumpcap -d -f "<filter>" like so:

bash-5.0$ dumpcap -d -f "pcap abort 11"
Capturing on 'Wi-Fi: en0'
dumpcap: Invalid capture filter "pcap abort 11" for interface 'en0'.

That string isn't a valid capture filter (syntax error in filter expression: syntax error).
See the User's Guide for a description of the capture filter syntax.

If it's valid, dumpcap will show you the BPF instructions for the filter.

You have a tcap.reason == 11 (line 7), which is valid, and you may want to reuse that as applicable.

Ross Jacobs
  • 2,962
  • 1
  • 17
  • 27
  • `tcap.reason == 11` works in wire-shark but it gives following error in my code. `Exception in thread "main" org.pcap4j.core.PcapNativeException: Error occurred in pcap_compile: can't parse filter expression: syntax error` –  Sep 18 '19 at 06:21
  • That sounds like a problem with pcap4j. I might go with @VasilVelichkov's suggestion to try using tshark or sharkd if your library is erroring unexpectedly. – Ross Jacobs Sep 18 '19 at 06:27
0

The pcap abort 11 is not a valid capture/bpf filter.

I don't have experience with pcap4j but from setFilter API documentation it looks like it expects capture/bpf filters and not a Display filters.

The difference between Display and Capture filters is explained here.

As far as I know there is not capture/bpf filter that you could use to filter TCAP Abort messages.

A valid Display filters for Aborts are tcap.dialogueAbort_element, tcap.abort_source or tcap.reason == 10 or tcap.reason == 11 but I don't know how to use them with pcap4j

An alternative to pcap4j for your use case could be decoding the capture with tshark or sharkd, both programs support display filters and tshark supports JSON (-T json) and XML (-T pdml) output formats that you could easily process in Java.

Vasil Velichkov
  • 1,236
  • 11
  • 17
0

The filtering that can be done by pcap libraries (libpcap/WinPcap/Npcap) is very limited; it can't test for anything as complicated as a TCAP abort. You'd have to dissect the packets in detail, either by writing your own code or by somehow using Wireshark/TShark/sharkd's code, to determine whether the packet you have is a TCP abort.

user9065877
  • 193
  • 1
  • 1
  • 2