![]() ![]() the same as the >= operator) see the pcap-filter(7) man page for more details. In the case of greater, it uses the overall captured frame length, and actually means greater-than-or-equal-to (i.e. In the case of udp, we're using the UDP header's 16-bit length field, which includes the header itself. Tshark -i eth0 -n -f 'udp port 123 and greater 91' -w file.pcapīoth of the above filters are designed to capture NTP packets greater than the most common 48-byte UDP payload. Tcpdump -i eth0 -n -s 0 -vv 'udp port 123 and udp > 56' Here's an example of tcpdump doing the former (displaying it to the terminal), and tshark doing the latter (writing it to a file): Applying Filters Filtering in TShark and tcpdump is very flexible because both allow the use of BPF capture filters. However, the capability is there in both tcpdump and tshark, using either indexing into the UDP header, or using the overall captured frame length. I started searching and found that not many quick guides exist to do this in the capture filter. Because the overall number of NTP packets is quite large, I didn't want to spool all NTP packets to disk then later filter with a Wireshark display filter - I wanted to filter at the capture stage. I recently wanted to look at some packet captures on my NTP pool servers and find out if any NTP clients hitting my servers use extension fields or legacy MACs. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |