Ethereal expressions - help

Printable View

December 21st, 2005, 07:42 PM
Lv4

Ethereal expressions - help

I wasn't real sure where to drop this thread, so for now I'm going to put it here in Miscellaneous Security.

Anyway, I use Ethereal a lot but I don't use advanced filtering techniques as usually I'm not capturing thousands of packets. That has recently changed, due to a bug/security issue I'm having to research. My captures are winding up in the tens of thousands of packets, most of which I don't need to see for what I'm researching. What I'm looking to do is filter out TCP [PSH, ACK] packets with a Len=81 or Len=162 which are the packets that I'm interested in.

I can't figure out how to create an expression that shows me just those packets. I'm sure it is something pretty easy that I'm over looking, but I have been banging my head for the past couple of days on this and I don't have a lot of time to play around trying to create this stuff (too many other projects breathing down my neck). So I hope someone here on AO has an idea of what I need to do for this expression/filter.

If you need further information to create this expression/filter please let me know. Thanks in advance guys :)
December 21st, 2005, 07:55 PM
csl

tcp.len==81 || tcp.len==162
December 21st, 2005, 08:01 PM
Lv4

Thanks csl that is exactly what I was looking for. I didn't know the || join and that is where I was hitting the wall.

Like I said, something pretty easy I was over looking. Thanks a lot!
December 21st, 2005, 08:11 PM
warl0ck7

As for length use '(( ip[2:2] >= 81 ) or ( ip[2:2] <= 162) )'

for ACK and PSH

'(tcp[tcpflags] & (tcp-push|tcp-ack)!= 0)'

The whole thing becomes

'((ip[2:2]>=81) or (ip[2:2]<=162)) and (tcp[tcpflags] & (tcp-push|tcp-ack)!= 0)'
December 21st, 2005, 08:17 PM
Lv4

ohh. warl0ck7 I can see how that one would be helpful too... especially if I have packets that are the same size as the PSH, ACK packets that I'm looking for.

But why use ((ip[2:2)>=81) or (ip[2:2]>=162)) instead of tcp.len==81||tcp.len==162 as suggested by csl?
December 21st, 2005, 08:19 PM
csl

(tcp.flags.syn || tcp.flags.ack) && (tcp.len==81 || tcp.len==162) works as well
December 21st, 2005, 08:30 PM
warl0ck7

Wrong actually, tcp.len gives the length of tcp payload and not of the whole packet
for the whole packet lenght you need ip[2:2]. also using tcp.len gives me a parse error(??).
December 21st, 2005, 08:53 PM
csl

Quote:

Field name Type Description Versions
tcp.len Unsigned 32-bit integer TCP Segment Len 0.9.4 to 0.10.13

http://www.ethereal.com/docs/dfref/t/tcp.htm

indeed, what was i thinking? oh well, oops.. change tcp.len to (tcp.len+tcp.hdr_len)