Re: Convert Wireshark Filterstring to winpcap filter

[Guy Harris <guy () alum mit edu>]

On Oct 8, 2009, at 3:59 AM, <peter.kindl () orf at> <peter.kindl () orf at>  
wrote:

> 1.)
>
> I'd urgently need help/advice of how the following filter string has  
> to
> be to be set as winpcap filter-string:
>
> I can't find any working string for the protocols. "eth src
> 00:0e:0C:76:86:5e" is working.
>
> Thanks for any reply and help
>
> My filter in wireshark:
>
> ((eth.src ==
> 00:0e:0c:76:86:5e)&&!(frame.protocols=="eth:llc"))&&! 
> (frame.protocols="e
> th:ans")

"frame.protocols" doesn't have any direct equivalent in libpcap - the  
filtering is done by a *much* simpler engine, which doesn't do full- 
blown dissection, as Wireshark does.

Why are you using "frame.protocols"?  Why not use, for example:

        (eth.src == 00:0e:0c:76:86:5e) && !llc && !ans

*That* would translate to

	(eth src 00:0e:0C:76:86:5e) and (ether[12:2] >= 1500) and (not ether  
proto 0x886d)

("!llc" means, on Ethernet, that the traffic is either regular  
Ethernet traffic with the type/length field being a type - that means  
"larger than 1500" - or Novell's old IPX-on-Ethernet-with-no-LLC, but  
I'm ignoring the latter for now.)

> 2.)
>
> Could someone tell me, how to reassemble Netbios Datagrams
> protocol:DCERPC?
>
> How does wireshark and co. know, the amount of frames, total size....

See

        http://www.opengroup.org/onlinepubs/009629399/

for the DCE RPC specifications; in particular, see

        http://www.opengroup.org/onlinepubs/009629399/chap12.htm#tagcjh_17_05

for the datagram version of DCE RPC, and the "fragnum" field and the  
"frag" and "lastfrag" bits.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.