If STTP is the Secure TBM Transfer Protocol, that also appears to be carried on top of HTTP, so that probably won't be possible, either. Capture filters can't easily parse HTTP text (if they can do so at all), so that won't be possible. If STTP is the Secure Token Transfer Protocol, then that's a text protocol carried on top of HTTP. So we'll need to have a specification for this protocol. OK, standard Wireshark has no dissector for a protocol named "STTP", so I don't know what protocol that is, and I had to ask The Great Gazoogle what it might be, because the mechanisms that implement capture filters (a mechanism in libpcap and various OS kernels, where the filter is compiled into a pseudo-machine program and interpretively executed or translated to machine code and executed) and display filters (implemented in Wireshark as something that uses the result of Wireshark's dissection of packets) are completely different, and there is no general mechanism for turning a display filter into a capture filter (and some display filters simply cannot be turned into display filters, as the BPF pseudo-machine does not support looping and thus cannot handle any protocol whose dissection requires a loop). User Datagram Protocol, Src Port: 2550, Dst Port: 64485 I'd like to see if I can add a particular display filter, which is: sttp.offset = 0 - I don't think it's possible, but it will always be from UDP 2550, and it will be the first one in the stream (I just want to verify it's there) as the STTP traffic will make up about 80-90% of all the traffic in this instance. Set "FILTER=(%net1% or %net2% or %net3% or %net4% or %net5%) and not udp portrange 2530-2500 and not port 5900"įor %%i in (%ip_list%) do set "FILTER=!FILTER! and ip src not %%i and ip dst not %%i" Rem set socket_range=tcp port 2096 and tcp portrange 20000-20399 Set TSHARK="C:\Program Files (x86)\Wireshark\tshark" Hi guys - I've got the following script that I've made fairly generic so we can capture all traffic on a subnet (or series of them) SETLOCAL EnableDelayedExpansion
0 Comments
Leave a Reply. |