Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--port filter seems do not change anyting it is still capturing packets from all ports #384

Closed
os11k opened this issue Aug 3, 2023 · 12 comments · Fixed by #387
Closed
Labels
documentation Improvements or additions to documentation question Further information is requested

Comments

@os11k
Copy link

os11k commented Aug 3, 2023

Describe the bug
--port filter seems do not change anything it is still capturing packets from all ports

To Reproduce
Steps to reproduce the behavior:

  1. start ecapture with ./ecapture tls --port 443 and expect only traffic to be seen on port 443.
  2. Run SIP TLS traffic on port 5061
  3. You will see traffic hitting port 5061

Expected behavior
I would expect to see only traffic on provided port, 443 in this example

Screenshots
image

Linux Server/Android (please complete the following information):

  • Env: [run make env to get the environment variables] - N/A (I used pre-compiled ecapture)
  • OS: [Ubuntu-Server 20.04.3 2021.12.08]
  • Arch: [x86_64]
  • Kernel Version: [5.4.0-109-generic]
  • Version: [linux_x86_64:0.6.1-20230716-e1cd6c7:5.15.0-1041-azure]
@os11k
Copy link
Author

os11k commented Aug 3, 2023

seems -i is ignored too, I have several interfaces on my test box, and it doesn't matter which interface I choose it stills shows all traffic

@cfc4n cfc4n added question Further information is requested documentation Improvements or additions to documentation labels Aug 3, 2023
@cfc4n
Copy link
Member

cfc4n commented Aug 3, 2023

Only when pcapng mode(aka -w flag) is enabled, these two parameters will take effect.

pcapng mode usage

 ./ecapture -tls -w 1.pcapng -i ens33 --port 5601

@os11k
Copy link
Author

os11k commented Aug 3, 2023

I just tried

./ecapture tls -w 1.pcapng -i ens192

And it do not writes traffic on port 5061, but it does writes traffic for 443 port...

when I do run ./ecapture tls

I see traffic on both ports 443 and 5061

@cfc4n
Copy link
Member

cfc4n commented Aug 3, 2023

I just tried

./ecapture tls -w 1.pcapng -i ens192

And it do not writes traffic on port 5061, but it does writes traffic for 443 port...

when I do run ./ecapture tls

I see traffic on both ports 443 and 5061

Did you forget to include the --port parameter?

./ecapture tls -w 1.pcapng -i ens192 --port 5061

If it still doesn't work properly, you can modify it and recompile it yourself. However, I believe there is no need to compile it on your own for it to function normally.

const volatile u64 target_port = 443;

@cfc4n
Copy link
Member

cfc4n commented Aug 3, 2023

By the way, if you are using pcapng mode, you need to open 1.pcapng with Wireshark to view it. Make sure your Wireshark version is higher than 4.0.

@os11k
Copy link
Author

os11k commented Aug 3, 2023

Aah, if I do not put --port parameter it will look only on port 443?

Correct?

I just tried:

./ecapture tls -w 1.pcapng -i ens192 --port 5061

and it captured nothing...

@os11k
Copy link
Author

os11k commented Aug 3, 2023

If it still doesn't work properly, you can modify it and recompile it yourself

Ahh, I just noticed this your comment. let me try to recompile it and report back

@cfc4n
Copy link
Member

cfc4n commented Aug 8, 2023

ping...

Has your issue been resolved?

@os11k
Copy link
Author

os11k commented Aug 8, 2023

Hi! Sorry, I didn't had time to recompile with port 5061, I will try to do it during this week. Thank you!

@os11k
Copy link
Author

os11k commented Aug 11, 2023

Hi @cfc4n! It worked after recompiling. I can see packets on port 5061, when I compile with:

const volatile u64 target_port = 5061;

Any plans to make --port argument to work? It doesn't work during live capture or during writing to file... Seems that arguments does nothing. Or?

Thank you again for your help and have a good day!

@cfc4n
Copy link
Member

cfc4n commented Aug 11, 2023

Hmm, I will debug this issue in the near future.

@cfc4n
Copy link
Member

cfc4n commented Aug 13, 2023

I checked and confirmed that this parameter can take effect when the kernel version is greater than 5.2 or above.Will write network packet information to a file.

image

However, I will add some prompts when the kernel is less than 5.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation question Further information is requested
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants