Writing Wireshark Filter Expression For Capturing Packets
Download as PPTX, PDF6 likes3,942 views
This document summarizes the use of Wireshark filters to analyze network traffic. It describes capturing TCP packets to and from Facebook during login, analyzing flags like SYN and PSH. It also captures HTTP traffic to Facebook and traffic to a video streaming site Playit.pk, analyzing packet counts and flags. Graphs show packet counts over time for PSH flag and a histogram of packet sizes.
Writing Wireshark Filter Expression For Capturing Packets
- 1. Writing Wireshark filter expressions for packet capture Group Members: Zafran Ullah, Ihsan Ali, Babar Naseer
- 2. Wireshark O Wireshark is a free and open-source packet analyzer. O It is used for network troubleshooting, analysis, software and communications protocol development, and education.
- 3. O Two types of filter expressions are used in wireshark Capture filter Display filter Wireshark
- 4. Tasks O Task1: Capturing and analyzing TCP packets O Task2: Capturing and analyzing http packets O Task3: Capturing and analyzing packets from PLAYIT.PK
- 5. Capture all TCP traffic to/from Facebook, during the time when you log in to your Facebook account O Facebook ip = 31.13.86.8 O User ip =10.110.161.147 O Capture Filter: tcp and host 31.13.86.8 O Packets Captured: 643 over 25 seconds O Packets sent to facebook: 252 Display Filter: ip.dst==31.13.86.8 O Packets received from facebook: 391 Display Filter: ip.dst==10.110.161.147
- 6. SYN Flag O The SYN flag synchronizes sequence numbers to initiate a TCP connection
- 7. Capture all TCP traffic to/from Facebook, during the time when you log in to your Facebook account O SYN Flag: For packets with SYN flag set Display filter: tcp.flags.syn==1 , Packets: 5 For packets with SYN flag not set Display filter: tcp.flags.syn==0 , Packets: 638 Number of packets with SYN set & sent to host: Display filter :tcp.flags.syn==1 && ip.dst==10.110.161.147 , Packets:1 Number of TCP packets with SYN flag set and sent to Facebook: Display filter: tcp.flags.syn==1 && ip.dst== 31.13.86.8 , Packets:4
- 8. PUSH O PSH- Push forces data delivery without waiting for buffers to fill. This is used for interactive traffic. The data will also be delivered to the application on the receiving end with out buffering.
- 9. Capture all TCP traffic to/from Facebook, during the time when you log in to your Facebook account O PSH Flag: For packets with PUSH flag set Display filter: tcp.flags.push==1 , Packets: 250 For packets with PUSH flag not set Display filter: tcp.flags.push==0 , Packets:393 Number of packets with PUSH set & sent to host: Display filter :tcp.flags.push==1 && ip.dst==10.110.164.135 , Packets:156 Number of TCP packets with PUSH flag set and sent to Facebook: Display filter: tcp.flags.push==1 && ip.dst== 31.13.67.1 , Packets:94
- 10. Capture all TCP traffic to/from Facebook, during the time when you log in to your Facebook account O PSH & SYN Flag: For packets with PUSH & SYN flag set Display filter: (tcp.flags.push==1&&tcp.flags.syn==1) , Packets: 0 For packets with PUSH & SYN flag not set Display filter: (tcp.flags.push==0&&tcp.flags.syn==0) , Packets: 388 Number of packets with PUSH & SYN set & sent to host: Display filter : (tcp.flags.push==1&&tcp.flags.syn==1) &&ip.dst==10.110.161.147, Packets:0 Number of TCP packets with PUSH & SYN flag set and sent to Facebook: Display filter (tcp.flags.push==1&&tcp.flags.syn==1) &&ip.dst==31.13.86.8 , Packets:0
- 11. RST Flag O RST- Reset is an instantaneous abort in both directions or shows abnormal session disconnection
- 12. Capture all TCP traffic to/from Facebook, during the time when you log in to your Facebook account O Reset Flag: For packets with RESET flag set Display filter: tcp.flags.reset==1 , Packets: 0 For packets with RESET flag not set Display filter: tcp.flags. reset==0 , Packets: 625
- 13. Captured TCP Packets Statistics Task: Capture all TCP traffic to/from Facebook Total Captured Packets Packets Sent to Facebook Packets Received from Facebook Packets Sent to Facebook with SYN flag set Packets Sent to Facebook with PSH flag set Packets Received from Facebook with SYN flag set Packets Received from Facebook with PSH flag set Packets Sent to Facebook with SYN & PSH flags set Packets Received from Facebook with SYN & PSH flags set Total Packets With SYN flag set Total Packets With PSH flag set Total Packets With RST flag set 643 252 391 4 94 1 156 0 0 5 250 0
- 14. Task 2: Capture all HTTP traffic to and from Facebook while logging O Display Filter: Tcp port 80 and host 31.13.86.8 O Packets received from Facebook ip.dst==10.110.161.147 O Packets sent to Facebook Display Filter: ip.dst==3l.13.86.8
- 15. Task 3:capture all traffic to and from Playit.pk while playing a Popular video Playit.pk Playit.pk :ip address 162.159.241.198) No capture filters were utilized as Playit.pk servers may change during streaming.
- 16. Task 3:capture all traffic to and from Playit.pk while playing a Popular video O Total Packets :223 O For packets with SYN flag set Display filter: tcp.flags.syn==1 , Packets: 42 For packets PSH flag set Display filter: tcp.flags.push==1, Packets: 47 Number of packets with RST flag set : Display filter: tcp.flags.reset==1, Packets: 1 Number of TCP packets sent by host and received by Facebook: Display filter (ip.src== 10.110.164.135 and ip.dst==162.159.241.198), Packets:117 Number of TCP packets sent by host and received by Facebook: Display filter (ip.src== 162.159.241.198 and ip.dst== 10.110.164.135), Packets:115
- 17. When Psh Flag==1 0 5 10 15 20 25 30 35 40 0 to 5 5 to 10 10 to 1515 to 2020 to 2525 to 30 Packets Time sec
- 18. Histogram of Packets size O Filter used: frame.cap_len >= x && frame.cap_len <y O From x to y frame.cap_len >= 0 && frame.cap_len <100
- 19. Histogram of Packets size 0 50 100 150 200 250 300 NumberofPackets Size