3

Right now I'm using tcpdump -i <interface_name> -p <port> -s0 -w /tmp/file.cap and then filter the capture in wireshark.

How can I take packet capture with tcpdump only on SCCP or GSM_MAP protocols and drop the sctp heartbeat messages?

Any other solution will also be good :)

OS: RedHat

user1977050
  • 409
  • 7
  • 18

1 Answers1

4

I don't think you can filter using tcpdump at the protocol level, (HTTP, GSM_MAP, etc.), or I should say not very easily. This SO Q&A titled: "Can I use tcpdump to get HTTP requests, response header and response body?", shows how you'd go about doing this for HTTP traffic, it isn't pretty! I think the feature you're looking for would allow you to filter these by the general name of the protocol.

As an alternative you might want to try the command line version of Wireshare, aka. tshark instead.

tshark can be a bit daunting to start with but it's a fairly straightforward tool once you spend a bit of time reading the tshark man page and googling for existing recipes. You can use the command to find out all the protocols that tshark knows about:

$ tshark -G protocols|grep -E "SCCP|GSM_MAP|SCTP"
GSM Mobile Application  GSM_MAP gsm_map
Signalling Connection Control Part  SCCP    sccp
Signalling Connection Control Part Management   SCCPMG  sccpmg
Stream Control Transmission Protocol    SCTP    sctp
SS7 SCCP-User Adaptation Layer  SUA sua

Looking at the above output it would seem that tshark knows about all the protocols in your questions, so that's a good first step. If you need to filter on specific fields within a given protocol you can search on Wireshark's website using their protocol references index as well, so that's a good second step.

$ tshark -G fields | head -10
P   Short Frame short
P   Malformed Packet    malformed
P   Unreassembled Fragmented Packet unreassembled
P   IEEE 1722 Protocol  ieee1722
F   Control/Data Indicator  ieee1722.cdfield    FT_BOOLEAN  ieee1722    8   0x80    
F   AVBTP Subtype   ieee1722.subtype    FT_UINT8    ieee1722    BASE_HEX    0x7f    
F   AVBTP Stream ID Valid   ieee1722.svfield    FT_BOOLEAN  ieee1722    8   0x80    
F   AVBTP Version   ieee1722.verfield   FT_UINT8    ieee1722    BASE_HEX    0x70    
F   AVBTP Media Reset   ieee1722.mrfield    FT_UINT8    ieee1722    BASE_DEC    0x8 
F   AVBTP Gateway Info Valid    ieee1722.gvfield    FT_BOOLEAN  ieee1722    8   0x2 
...

Example

Here I'm collecting the HTTP protocol traffic only where I load a page from "unix.stackexchange.com" i.e. "198.252.206.16". My wireless interface (-i wlp3s0), and I'm just dumping the first 10 lines of output.

$ tshark -O http -i wlp3s0 host 198.252.206.16 | head -10
Capturing on 'wlp3s0'
2 Frame 1: 855 bytes on wire (6840 bits), 855 bytes captured (6840 bits) on interface 0
Ethernet II, Src: IntelCor_85:a7:20 (00:26:c7:85:a7:20), Dst: Watchgua_85:be:9a (00:90:7f:85:be:9a)
Internet Protocol Version 4, Src: 192.168.1.161 (192.168.1.161), Dst: 198.252.206.16 (198.252.206.16)
Transmission Control Protocol, Src Port: 37713 (37713), Dst Port: http (80), Seq: 1, Ack: 1, Len: 789
Hypertext Transfer Protocol
    GET /review/late-answers HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /review/late-answers HTTP/1.1\r\n]
            [Message: GET /review/late-answers HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
...

The key thing you'll want to keep straight is that you're using "capture filters" here when logging this information. These are different that "display filters".

Permissions

Make sure you check out this U&L Q&A titled: Can't get Wireshark to run as user on CentOS if you don't have your permissions setup correctly so that you can run tshark and wireshark as non-root users.

References

slm
  • 369,824