![]() It may or may not be also important to note that in order to reduce the amount of data being captured and written to files, I am restricting the frame data being captured to the first 94 bytes of each frame via the -s 94 maximum frame data to capture switch to dumpcap. Include other TCP traffic that is for sure sourced/destinedįrom/to the app being monitored (ports 52799 and xxxx). , and finally (although not relevant to the case at hand):ģ. Exclude most HTTP(S) traffic by via port exclusions (80/443). TCP/UDP/ICMP segments/datagrams/messages should be captured.Ģ. More specifically, only IPv4 packets that consist of Restrict captured frames to LAN to WAN unicast traffic, only. I know that the capture filter is exceedingly complex and so I will break it down in English: 1. Or (tcp and (port 52799 or port xxxx or \Īnd not (dst net 192.168.8/24 or dst port 80 \ It is unclear to me what is special about the frames that get processed like this, although I have noticed that they all have frame lengths in the set \ I am pretty much limited to just the two IP addresses and the data length which are part of the IP v4 header, with the especially desirable udp.srcport and udp.dstport fields being absent. ![]() The bad thing about these captured frames is that I do not get any UDP specific info, such as src/dest port info, since no UDP parsing is attempted on them. ![]() ![]() These frames have: frame.protocols=eth:ethertype:ip:dataĮxamining the ip.version and ip.proto fields of these frames in order to make sure that they are in fact UDP datagrams, I see, as expected: ip.version=4 # IPv4 That is, instead of containing the correct string: frame.protocols=eth:ethertype:ip:udp:data Sometimes I get anomalous captured frames that are missing the udp string in the frame.protocols field. I am capturing incoming and outgoing WAN to LAN data at a particular host on my LAN (i.e., the one actually receiving/sending the data). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |