Wireshark · Ethereal-dev: Re: [Ethereal-dev] filtering out SCTP chunks

Ethereal-dev: Re: [Ethereal-dev] filtering out SCTP chunks

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Wed, 12 Feb 2003 14:18:15 -0800

On Wed, Feb 12, 2003 at 05:02:35PM -0500, Jeff Morriss wrote:
> I just tried this filter on an SCTP capture I have:
> 
> sctp.chunk_type != 0 && sctp.chunk_type != 3
> 
> (I'm only really interested in the control messages at the moment--thus 
> I want to filter out the DATA and SACK chunks.)
> 
> What I got surprised me:  SCTP messages that had just DATA or just SACKs 
> were excluded from the display, but messages that had DATA and SACKs 
> bundled together were displayed.
> 
> Is this "correct"?

Yes.

For better or worse, filter expression behavior is counter-intuitive at
some points, because, instead of there being exactly one instance of a
variable to be tested, there can be somewhere between zero and an
infinite number of instances of a variable to be tested.

The "zero" part was the cause of the previous bit of filter expression
confusion - if you ask

	protocol.field != X

the question is "what if there *is* no 'protocol.field' in the packet?"

The current bit of confusion is caused by the "between ... and an
infinite number of instances", i.e. there may be *more than one*
instance.

	protocol.field != X

is defined to mean "there is an instance of 'protocol.field' in the
packet that has a value other than X".

This means that

	1) it's *not* true if there are no instances of
	   "protocol.field";

	2) it *is* true if there is *an* instance of "protocol.field"
	   with a value other than X, *even if, in the same packet,
	   there is another instance that has the value X.

Thus

	sctp.chunk_type != 0 && sctp.chunk_type != 3

means "there is an SCTP chunk in the packet with a value other than 0,
and there is an SCTP chunk in the packet with a value other than 3".

Thus, an SCTP message with DATA and SACK matches.

To exclude packets that contain either DATA or SACK, one must do

	! (DATA present || SACK present)

"DATA present" is "sctp.chunk_type == 0", and "SACK present" is
"sctp.chunk_type == 3".

So

	!(sctp.chunk_type == 0 || sctp.chunk_type == 3)

However, a non-SCTP packet would also match that, as a non-SCTP packet
obviously has neither an SCTP DATA chunk not an SCTP SACK chunk, so if
you want to see SACK packets that have neither DATA nor SACK chunks,
that's

	sctp && !(sctp.chunk_type == 0 || sctp.chunk_type == 3)

References:
- [Ethereal-dev] filtering out SCTP chunks
  - From: Jeff Morriss

Prev by Date: [Ethereal-dev] filtering out SCTP chunks
Next by Date: [Ethereal-dev] How do I get an ethereal executable instead of shell script
Previous by thread: [Ethereal-dev] filtering out SCTP chunks
Next by thread: [Ethereal-dev] How do I get an ethereal executable instead of shell script
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$