ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 12847] New: pdml protocol filter incorrectly filters desir

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 09 Sep 2016 00:31:33 +0000
Bug ID 12847
Summary pdml protocol filter incorrectly filters desired subfields
Product Wireshark
Version 2.1.x (Experimental)
Hardware x86
OS Mac OS X 10.11
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee [email protected]
Reporter [email protected] 

Build Information:
TShark (Wireshark) 2.1.1-417-g7a3e9b1 (v2.1.1rc0-417-g7a3e9b1 from unknown)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, without POSIX capabilities, with GLib 2.36.0,
with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, with GnuTLS
2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP.

Running on Mac OS X 10.11.6, build 15G1004 (Darwin 15.6.0), with locale
en_US.UTF-8, with libpcap version 1.5.3 - Apple version 54, with GnuTLS
2.12.19,
with Gcrypt 1.5.0, with zlib 1.2.5.
Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

--
I am trying to use tshark with pdml output (-T pdml) to capture only the
protocols I am interested, in this case "radiotap" and "wlan" [1]. The output
seems to generate pdml filtering protocols other than geninfo (which AFAIK is
to meet pdml requirement),radiotap and wlan, however tshark also filtered
fields which are more than 1 level from radiotap and wlan protocol but fall
under requested protocol/layer.

For example while it displays the radiotap fields content, it does not display
radiotap.flags content like radiotap.flags.badfcs [2].

Lookinto into tshark code it looks like it treats proto section same as fields
under proto (recursive calls to write) before writing into pdml and hence only
the first level fields are displayed due to exact string match with "-j" proto
filter.
The subsequent .childs fields fail the filter check due to exact match. 

Is this suppose to work like this? 
Or is there a way to capture complete protocol section including subsections at
all depths. E.g., if user specifies radiotap tshark pdml should be able to
decode and write all radiotap related fields falling under </proto radiotap>
into output pdml?

Thanks and regards
-a

[1]
tshark -l -n -T pdml -j "radiotap wlan" -r file.pcap

[2]
sample output

  <proto name="radiotap" showname="Radiotap Header v0, Length 56" size="56"
pos="0">
    <field name="radiotap.version" showname="Header revision: 0" size="1"
pos="0" show="0" value="00"/>
    <field name="radiotap.pad" showname="Header pad: 0" size="1" pos="1"
show="0" value="00"/>
    <field name="radiotap.length" showname="Header length: 56" size="2" pos="2"
show="56" value="3800"/>
    <field name="radiotap.present" showname="Present flags" size="4" pos="4"
show="" value="">
      <field name="filtered" value="radiotap.present" />
    </field>
    <field name="radiotap.mactime" showname="MAC timestamp: 3853627463"
size="8" pos="8" show="3853627463" value="47b0b1e500000000"/>
    <field name="radiotap.flags" showname="Flags: 0x14" size="1" pos="16"
show="0x00000014" value="14">
      <field name="filtered" value="radiotap.flags" />
    </field>
    <field name="radiotap.channel.freq" showname="Channel frequency: 2412 [BG
1]" size="2" pos="18" show="2412" value="6c09"/>
    <field name="radiotap.channel.flags" showname="Channel flags: 0x0480, 2 GHz
spectrum, Dynamic CCK-OFDM" size="2" pos="20" show="0x00000480" value="8004">
      <field name="filtered" value="radiotap.channel.flags" />
    </field>
    <field name="radiotap.dbm_antsignal" showname="SSI Signal: -48 dBm"
size="1" pos="22" show="-48" value="d0"/>
    <field name="radiotap.dbm_antnoise" showname="SSI Noise: -95 dBm" size="1"
pos="23" show="-95" value="a1"/>
    <field name="radiotap.antenna" showname="Antenna: 0" size="1" pos="24"
show="0" value="00"/>
    <field name="radiotap.xchannel.channel" showname="Channel number: 1"
size="1" pos="34" show="1" value="01"/>
    <field name="radiotap.xchannel.freq" showname="Channel frequency: 2412"
size="2" pos="32" show="2412" value="6c09"/>
    <field name="radiotap.xchannel.flags" showname="Channel flags: 0x00010480,
2 GHz spectrum, Dynamic CCK-OFDM, HT Channel (20MHz Channel Width)" size="4"
pos="28" show="0x00010480" value="80040100">
      <field name="filtered" value="radiotap.xchannel.flags" />
    </field>
    <field name="radiotap.ampdu" showname="A-MPDU status" size="8" pos="36"
show="" value="">
      <field name="filtered" value="radiotap.ampdu" />
    </field>
    <field name="radiotap.vht" showname="VHT information" size="12" pos="44"
show="" value="">
      <field name="filtered" value="radiotap.vht" />
    </field>
  </proto>

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube