0

I have a tshark capture filter that's not including what I feel like it should include.

I'll start with the instruction:

tshark -i Ethernet -f "host 10.10.10.120 && (((ether[48:2]==0x0201 && ether[88:2]==0x0000) || (ether[48:2]==0x0201 && ether[88:2]==0x0001) || (ether[48:2]==0x0201 && ether[88:2]==0x0002) || (ether[48:2]==0x0201 && ether[88:2]==0x0003) || (ether[48:2]==0x0201 && ether[88:2]==0x0004)) || ((ether[48:2]==0x0301 && ether[88:2]==0x0000) || (ether[48:2]==0x0301 && ether[88:2]==0x0100) || (ether[48:2]==0x0301 && ether[88:2]==0x0200) || (ether[48:2]==0x0301 && ether[88:2]==0x0400)))"

The bold section is not making it through the filter.

This one works:

tshark -i Ethernet -f "host 10.10.10.120 && (ether[48:2]==0x0201 || ((ether[48:2]==0x0301 && ether[88:2]==0x0000) || (ether[48:2]==0x0301 && ether[88:2]==0x0100) || (ether[48:2]==0x0301 && ether[88:2]==0x0200) || (ether[48:2]==0x0301 && ether[88:2]==0x0400)))"

There's not much different between the two...

Here's some of the output from the one that doesn't work:

    1   0.000000 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:2]
    2   0.000005 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:2]
    3   0.003054 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:4]
    4   0.003057 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:4]
    5   0.013017 10.10.10.120 → 255.255.255.255 CH10 330 [ChID:258 (FTIS_R01) SFID:0]
    6   0.013025 10.10.10.120 → 255.255.255.255 CH10 330 [ChID:258 (FTIS_R01) SFID:0]
    7   0.026775 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:0]
    8   0.026777 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:0]
    9   0.026802 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:1]
   10   0.026804 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:1]
   11   0.026916 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:2]
   12   0.026917 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:2]
   13   0.027549 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:4]
   14   0.027551 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:4]
   15   0.044088 10.10.10.120 → 255.255.255.255 CH10 330 [ChID:258 (FTIS_R01) SFID:0]
   16   0.044103 10.10.10.120 → 255.255.255.255 CH10 330 [ChID:258 (FTIS_R01) SFID:0]
   17   0.047541 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:0]
   18   0.047546 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:0]
   19   0.047741 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:1]
   20   0.047746 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:1]
   21   0.048032 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:2]
   22   0.048036 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:2]
   23   0.049413 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:4]
   24   0.049418 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:4]
   25   0.050420 10.10.10.120 → 255.255.255.255 CH10 330 [ChID:258 (FTIS_R01) SFID:0]
   26   0.050422 10.10.10.120 → 255.255.255.255 CH10 330 [ChID:258 (FTIS_R01) SFID:0]
   27   0.058900 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:0]
   28   0.058902 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:0]
   29   0.058930 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:1]
   30   0.058933 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:1]
   31   0.060378 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:2]
   32   0.060383 10.10.10.120 → 255.255.255.255 CH10 410 [ChID:259 (FTIS_R02) SFID:2]

FTIS_R01 is ether[48:2]==0x0201

FTIS_R02 is ether[48:2]==0x0301

ether[88:2]==0x000? is the SFID.

You'll see that the FTIS_R01 SFIDs 1 (0x0001), 2 (0x0002), 3 (0x0003), & 4 (0x0004) are not making it through, but SFID 0 (0x0000) is. All the FTIS_R02 SFIDs from the filter are making it through.

Here is a wireshark display of what it should look like: Wireshark snip

Note that I used a display filter in Wireshark, because I can't get this filter string to work as a capture filter.

Here is the display filter string that I used in wireshark to get the output in the attached image:

ip.src == 10.10.10.120 and (((ch10.hdr.channel_id == 258 and ch10.data.pcm_sfid == 0x0000 ) or (ch10.hdr.channel_id == 258 and ch10.data.pcm_sfid == 0x0001) or (ch10.hdr.channel_id == 258 and ch10.data.pcm_sfid == 0x0002) or (ch10.hdr.channel_id == 258 and ch10.data.pcm_sfid == 0x0003) or (ch10.hdr.channel_id == 258 and ch10.data.pcm_sfid == 0x0004)) or ((ch10.hdr.channel_id == 259 and ch10.data.pcm_sfid == 0x0000) or (ch10.hdr.channel_id == 259 and ch10.data.pcm_sfid == 0x0001) or (ch10.hdr.channel_id == 259 and ch10.data.pcm_sfid == 0x0002) or (ch10.hdr.channel_id == 259 and ch10.data.pcm_sfid == 0x0004)))

You'll see that I structured the filter string the same, but used 'and/or' instead of '&&/||'. Let me know if that's an issue, but I don't think it should be.

I verified that all the packet structures are the same.

For the life of me, I can't find a syntax error.

Vcrewchief
  • 1
  • 3
  • Screenshots are ***far*** less useful than packet captures, so if you can provide one somewhere, that would be much more helpful. One guess as to why some packets aren't making it through the filter could be because those packets are VLAN tagged ([IEEE 802.1Q](https://en.wikipedia.org/wiki/IEEE_802.1Q)), so the offsets are different. BTW, you might want to run [`dumpcap`](https://www.wireshark.org/docs/man-pages/dumpcap.html) with that filter and also the `-d` option to *"Dump the code generated for the capture filter in a human-readable form, and exit."* This can often prove insightful. – Christopher Maynard Aug 30 '23 at 02:20
  • I don't see how that could be an issue, considering a very similar filter works fine. I added it below the filter that doesn't work. – Vcrewchief Aug 30 '23 at 15:51

0 Answers0