> Can anyone tell me how to capture only one specific chunk types for sctp?
You cannot do so with a capture filter if there's more than one chunk in
the SCTP packets you're sending, as the interpreter that handles capture
filters doesn't support looping (and given that said interpreter runs in
the kernel on many OSes, it's not likely to do so any time in the near
or, I suspect, even medium-term future).
Even if there's only one chunk, the libpcap language doesn't have a way
to say "the byte at an offset of 12 from the beginning of the IP
payload", so there doesn't seem to be a way to check for that.
I'd suggest, then, that you use Tethereal with a read filter and a
capture filter; the capture filter should be "ip proto 0x84", to select
only SCTP packets, and the read filter should be "sctp.chunk_type == X",
where "X" is the numerical value of the chunk type, e.g. 0 for DATA.
So:
> For example, I wish to only capture DATA chunks and not HEARTBEATS. I
> have been able to filter the display after the packets have been captured,
> but by this time I have used up too much space on my disk.
tethereal -i <interface> -w <capture file> -f "ip proto 0x84"
-R "sctp.chunk_type == 0"
Ethereal currently doesn't support read filters on captures, so you
can't do that with Ethereal.
