Re: Filter protocols / traffic that embeds IP information in data field

[Sake Blok <sake () euronet nl>]

On 9 aug 2010, at 07:18, Hansen, Ulrich Vestergaard B. (E R WP EN ES 4 2) wrote:

> I have a live network running with multiple applications - some of them being self-developed.
> I've tapped into a fat trunk link to capure every conversation between servers and clients.
>  
> I want to filter traffic that embeds IP adresses inside the data field / data segment to identify which applications 
> might have trouble with Network Address Translation - like SIP, FTP and SNMP.
>  
> How do i do that? Any suggestions?.
> I use Wireshark and CACE Pilot.

IP addresses are just data, so it is not possible to just filter on embedded IP addresses without specifying where to 
expect those IP addresses. You will need to check protocol by protocol on how to achieve this.

For checking FTP you might want to use something like:

(ftp.request.command == "PORT") && (ftp.request.arg matches "192,168,*,*,*,*")

To check whether there are any non-translated 192.168.x.x addresses in the PORT command.

Hope this helps,
Cheers,



Sake


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe