How can the SSDP protocol be filtered out of Wireshark view?

wireshark filter ssdp
12,541

Solution 1

SSDP is implemented as a protocol that runs on top of HTTP-over-UDP, so the filter "http" will match SSDP packets. The filter "http and not udp" should eliminate SSDP packets; it will also, obviously, eliminate other HTTP-over-UDP packets, but I'm not sure there will ever be any HTTP-over-UDP packets that aren't SSDP packets.

Solution 2

I just used the functionality in the tool, by right clicking one of the packets that was problematic, then selected the sub-menu "Apply as Filter" > then selected ".. and not Selected" (under the "Not Selected" grouping).

It then changed the expression to look like this.

(http) && !(ip.dst == 239.255.255.250)

So with using the Expression popup, it can only apply a single filter, but to get multiple filters, you can either type the filter expression, and click "Apply". Or use the right click context menu, click "Apply as Filter" and click "Apply".

This eliminated all but 4 lines in the list! These all had the SSDP protocol.

EDIT:

Also, it appears Wireshark has it's own Q&A.

https://ask.wireshark.org/questions/unanswered/

Solution 3

As Guy Harris's helpful answer suggests, SSDP is HTTP using UDP for transport, which means it can be succinctly caught by: 

(!(http && udp))

which makes it easy to continue filtering like:

(!(http && udp)) & !ntp & ip.src==192.168.1.1

in my case, SSDP was being used by a Sony Blu-Ray player for advertisement, so I could filter it out with:

(!(http && udp && ip.dst==239.255.255.250))
Share:
12,541

Related videos on Youtube

MacGyver
Author by

MacGyver

Updated on September 18, 2022

Comments

  • MacGyver
    MacGyver over 1 year

    In Wireshark version 1.12.4, I am trying to filter out packet messages with an SSDP protocol. When I clicked the Expression button next to the Filter field, and selected "HTTP" (as Field Name) and "is present" (as Relation), I still get SSDP. Most of the messages are SSDP, so it's difficult to troubleshoot request and response packets I care about with SSDP in the list.

    https://www.wireshark.org/download.html

    • MacGyver
      MacGyver almost 9 years
      krisFR - Yes, I am best with toothpicks. :-)
    • MacGyver
      MacGyver almost 9 years
      krisFR - Yah, I figured nobody would care about the destination IP. So I explained how I did it. That should be more useful for readers who aren't MacGyver. ;-)
    • MacGyver
      MacGyver almost 9 years
  • MacGyver
    MacGyver almost 9 years
    This worked for me: http && !udp .... it filtered out the same packets as my answer, but this seems more realistic.
  • MacGyver
    MacGyver almost 9 years
    Actually, I found this link. Maybe the IP address is always the same. 239.255.255.250. wiki.wireshark.org/SSDP I'm on Windows 7.
  • Admin
    Admin almost 9 years
    That's not surprising, given that http and not udp and http && !udp are the exact same filter.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Capture Filter with Wildcard in IP Address
Googlecast SSDP and MDNS queries on network despite not having any chromecast applications installed in main computer
Wireshark filter to only capture Incoming Packets?
How to filter for HTTP 500 responses and their requests in Wireshark?
Filter tcpdump file AFTER capturing
How to make wireshark filter POST-requests only?
Wireshark Info Filter Help
How do I filter SQL Server traffic between app and DB servers using Wireshark?
filtering by domain
Apply color filter picture while swipe Flutter