Right now I'm using tcpdump -i <interface_name> -p <port> -s0 -w /tmp/file.cap and then filter the capture in wireshark.
How can I take packet capture with tcpdump only on SCCP or GSM_MAP protocols and drop the sctp heartbeat messages?
Any other solution will also be good :)
OS: RedHat
I don't think you can filter using tcpdump at the protocol level, (HTTP, GSM_MAP, etc.), or I should say not very easily. This SO Q&A titled: "Can I use tcpdump to get HTTP requests, response header and response body?", shows how you'd go about doing this for HTTP traffic, it isn't pretty! I think the feature you're looking for would allow you to filter these by the general name of the protocol.
As an alternative you might want to try the command line version of Wireshare, aka. tshark instead.
tshark can be a bit daunting to start with but it's a fairly straightforward tool once you spend a bit of time reading the tshark man page and googling for existing recipes. You can use the command to find out all the protocols that tshark knows about:
$ tshark -G protocols|grep -E "SCCP|GSM_MAP|SCTP"
GSM Mobile Application GSM_MAP gsm_map
Signalling Connection Control Part SCCP sccp
Signalling Connection Control Part Management SCCPMG sccpmg
Stream Control Transmission Protocol SCTP sctp
SS7 SCCP-User Adaptation Layer SUA sua
Looking at the above output it would seem that tshark knows about all the protocols in your questions, so that's a good first step. If you need to filter on specific fields within a given protocol you can search on Wireshark's website using their protocol references index as well, so that's a good second step.
$ tshark -G fields | head -10
P Short Frame short
P Malformed Packet malformed
P Unreassembled Fragmented Packet unreassembled
P IEEE 1722 Protocol ieee1722
F Control/Data Indicator ieee1722.cdfield FT_BOOLEAN ieee1722 8 0x80
F AVBTP Subtype ieee1722.subtype FT_UINT8 ieee1722 BASE_HEX 0x7f
F AVBTP Stream ID Valid ieee1722.svfield FT_BOOLEAN ieee1722 8 0x80
F AVBTP Version ieee1722.verfield FT_UINT8 ieee1722 BASE_HEX 0x70
F AVBTP Media Reset ieee1722.mrfield FT_UINT8 ieee1722 BASE_DEC 0x8
F AVBTP Gateway Info Valid ieee1722.gvfield FT_BOOLEAN ieee1722 8 0x2
...
Here I'm collecting the HTTP protocol traffic only where I load a page from "unix.stackexchange.com" i.e. "198.252.206.16". My wireless interface (-i wlp3s0), and I'm just dumping the first 10 lines of output.
$ tshark -O http -i wlp3s0 host 198.252.206.16 | head -10
Capturing on 'wlp3s0'
2 Frame 1: 855 bytes on wire (6840 bits), 855 bytes captured (6840 bits) on interface 0
Ethernet II, Src: IntelCor_85:a7:20 (00:26:c7:85:a7:20), Dst: Watchgua_85:be:9a (00:90:7f:85:be:9a)
Internet Protocol Version 4, Src: 192.168.1.161 (192.168.1.161), Dst: 198.252.206.16 (198.252.206.16)
Transmission Control Protocol, Src Port: 37713 (37713), Dst Port: http (80), Seq: 1, Ack: 1, Len: 789
Hypertext Transfer Protocol
GET /review/late-answers HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /review/late-answers HTTP/1.1\r\n]
[Message: GET /review/late-answers HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
...
The key thing you'll want to keep straight is that you're using "capture filters" here when logging this information. These are different that "display filters".
Make sure you check out this U&L Q&A titled: Can't get Wireshark to run as user on CentOS if you don't have your permissions setup correctly so that you can run tshark and wireshark as non-root users.
