Can I apply a filter to a trace file when using Windump

kke · November 2013

Hi friends,

I captured some packets and write them to a file with windump, the command is as follows
windump -i2 -w -s 1500 -w xxx.pcap

But when I tried to apply a filter(windump -r xxx.pcap ip[9] = 6) to the trace file, windump only reponded with "reading from file xxx.pcap, link-type EN10MB (Ethernet)", I have no idea what's wrong here? I can only apply a filter whiling capturing?

I've confirmed that there are tcp packets in the trace file and if I open it with Wireshark and apply a display filter "tcp" or "ip[9] == 6", it works perfectly.

Thanks in advance:)

JDMurray · November 2013

I just tried to duplicate your command lines and found a redundant '-w' in your capture command that causes a syntax error. After taking that out it works fine for me to both create the pcap file and to display its contents using WinDump and that filter expression. I'm wondering if your standard output is being implicitly redirected somehow. Try explicitly redirecting the WinDump output to a file and check is the output is stored: windump -r xxx.pcap ip[9] = 6 > xxx.txt

kke · December 2013

@JDMurray, thank you for your reply, I made a typo in my first post, I have tried to redirect the windump output to a text file as follows,
windump -r xxx.pcap ip[9] = 6 > xxx.txt
but got the same echo "reading from file xxx.pcap, link-type EN10MB (Ethernet)"

chaser7783 · December 2013

kke, just did the same in tcpdump, I also get "reading from file xxx.pcap, link-type EN10MB (Ethernet)" which is normal, but look in the file xxx.txt.

Nothing other than that should be written to the terminal b/c you have redirected all output to xxx.txt.

JDMurray · December 2013

I wonder if it's a permission problem. You're not trying to write/read the pcap file from your System32 folder, are you? Open the command window using "Run as administrator" and try reading the pcap file using windump again.

kke · December 2013

chaser7783 Thanks, haha, sure I have checked the xxx.txt but it's empty unfortunately

@JDMurray, I work under Windows XP and my account is in the administrator user group so I really have no idea what's wrong.

kke · December 2013

Hi chaser7783 and JDMurray, in order to ascertain whether the problem is caused by environment discrepancy or not, I have uploaded the xxx.pcap file to http://filebin.ca/13wkovgUA8pJ , please have a look:)

chaser7783 · December 2013

Ok I believe I see the issue, The captured traffic is PPP over ethernet which is encapsulated in the Ethernet header, so a byte offset of 9 alone wont work. You have to state it being PPPoe, much like you would vlan traffic. so the correct syntax would be: windump -nr xxx.pcap ' pppoes and ip[9] = 06' > xxx.txt

Sample payload:

0000 00 d0 b7 1b 8d 3e 3c 97 0e 5c cb 45 88 64 11 00
0010 4e 01 00 36 00 21 45 00 00 34 77 fb 40 00 80 06
0020 ab b8 0a c6 01 06 4a 7d 80 c7 d7 94 00 50 56 e2
0030 23 01 00 00 00 00 80 02 20 00 26 4c 00 00 02 04
0040 05 a0 01 03 03 08 01 01 04 02

JDMurray · December 2013

Nice recognition!

kke · December 2013

Thank you guys, it works now:)

Can I apply a filter to a trace file when using Windump

Comments