the same as the >= operator) see the pcap-filter(7) man page for more details. In the case of greater, it uses the overall captured frame length, and actually means greater-than-or-equal-to (i.e. In the case of udp, we're using the UDP header's 16-bit length field, which includes the header itself. Tshark -i eth0 -n -f 'udp port 123 and greater 91' -w file.pcapīoth of the above filters are designed to capture NTP packets greater than the most common 48-byte UDP payload. Tcpdump -i eth0 -n -s 0 -vv 'udp port 123 and udp > 56' Here's an example of tcpdump doing the former (displaying it to the terminal), and tshark doing the latter (writing it to a file): However, the capability is there in both tcpdump and tshark, using either indexing into the UDP header, or using the overall captured frame length. I started searching and found that not many quick guides exist to do this in the capture filter.
Because the overall number of NTP packets is quite large, I didn't want to spool all NTP packets to disk then later filter with a Wireshark display filter - I wanted to filter at the capture stage. On Windows, you will probably need a batch file to accomplish equivalent of sort -u. Assuming so, you can achieve this with tshark as follows: On nix platforms: tshark -r capture.pcap -T fields -e ip.src sort -u.
I recently wanted to look at some packet captures on my NTP pool servers and find out if any NTP clients hitting my servers use extension fields or legacy MACs. From your comment to EMKs answer, it seems what youre looking for is a unique list of source IP addresses in a capture file.
0 kommentar(er)
