Wireshark course, Ch 03: Capture and display filters
8 likes2,235 views
This document provides an overview of capture and display filters in Wireshark. It describes the basics of filter syntax and examples of common filters. The objectives are to understand basic capture and display filters and how to perform packet filtering. It covers the structure and components of capture filters including primitives, operators, and examples. Display filters are explained along with field types, comparison operators, and combining expressions. The document concludes with case studies demonstrating filters for protocols like DCERPC and analyzing network issues like retransmissions.
![Page 4
Capture Filters
Options:Capture
Filter options will be in the format:
[not] primitive [and|or [not] primitive ...]
Filter examples
ether host 00:08:15:00:08:15
host 192.168.0.1
tcp port http
tcp port 23 and src host 10.0.0.5
Double-Click](https://image.slidesharecdn.com/ch-03-captureanddisplayfilters-141115074941-conversion-gate02/85/Wireshark-course-Ch-03-Capture-and-display-filters-4-320.jpg)
![Page 5
Capture Filter Structure
A capture filter comes in the format:
[not] primitive [and|or [not] primitive ...]
A primitive is simply one of the following:
[src|dst] host <host>
ether [src|dst] host <ehost>
gateway host <host>
[src|dst] net <net> [{mask <mask>}|{len <len>}]
[tcp|udp] [src|dst] port <port>
less|greater <length>
ip|ether proto <protocol>
ether|ip broadcast|multicast
<expr> relop <expr>](https://image.slidesharecdn.com/ch-03-captureanddisplayfilters-141115074941-conversion-gate02/85/Wireshark-course-Ch-03-Capture-and-display-filters-5-320.jpg)
![Page 9
Byte Offset Notation
proto [Offset in bytes from the start of the header:Number
of bytes to check]
Examples:
ip[8:1]
Go to byte 8 of the ip header and check one byte (TTL field)
tcp[0:2]
Go to the start of the tcp header and check 2 bytes (source port)
Capture filters examples:
http://wiki.wireshark.org/CaptureFilters](https://image.slidesharecdn.com/ch-03-captureanddisplayfilters-141115074941-conversion-gate02/85/Wireshark-course-Ch-03-Capture-and-display-filters-9-320.jpg)
![Page 10
Structured Filters
A capture filter takes the form of a series of primitive expressions
connected by conjunctions (and/or) and optionally preceded by not:
[not] primitive [and|or] [not] primitive ...
Examples:
A capture filter for telnet that captures traffic to and from a particular host
tcp port 23 and host 10.0.0.5
Capturing all telnet traffic not from 10.0.0.5
tcp port 23 and not src host 10.0.0.5](https://image.slidesharecdn.com/ch-03-captureanddisplayfilters-141115074941-conversion-gate02/85/Wireshark-course-Ch-03-Capture-and-display-filters-10-320.jpg)
![Page 14
Examples #4
Capture except all ARP and DNS traffic:
port not 53 and not arp
Capture traffic within a range of ports
(tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2]
< 1550) or, with newer versions of libpcap (0.9.1 and later:
tcp portrange 1501-1549
Capture only Ethernet type EAPOL:
ether proto 0x888e](https://image.slidesharecdn.com/ch-03-captureanddisplayfilters-141115074941-conversion-gate02/85/Wireshark-course-Ch-03-Capture-and-display-filters-14-320.jpg)
![Page 27
Combining Expressions
not ip
tr.dst[0:3] == 0.6.29 xor
tr.src[0:3] == 0.6.29
ip.scr == 10.0.0.5 or ip.src ==
192.1.1.1
ip.src == 10.0.0.5 and tcp.flags.fin
Example
Logical NOT!not
Logical XOR^^xor
Logical OR||or
Logical AND&&and
DescriptionC-LikeShortcut](https://image.slidesharecdn.com/ch-03-captureanddisplayfilters-141115074941-conversion-gate02/85/Wireshark-course-Ch-03-Capture-and-display-filters-27-320.jpg)
![Page 28
Substring Operators
Wireshark allows you to select subsequences of a sequence in rather elaborate
ways. After a label you can place a pair of brackets [ ] containing a comma
separated list of range specifiers.
eth.src[0:3] == 00:00:83
eth.src[1-2] == 00:83
eth.src[:4] == 00:00:83:00
eth.src[4:] == 20:20
eth.src[2] == 83
eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83](https://image.slidesharecdn.com/ch-03-captureanddisplayfilters-141115074941-conversion-gate02/85/Wireshark-course-Ch-03-Capture-and-display-filters-28-320.jpg)
Wireshark course, Ch 03: Capture and display filters
- 1. NDI Communications - Engineering & Training Network analysis Using Wireshark Lesson 3 – Capture and Display Filters
- 2. Page 2 Lesson Objectives By the end of this lesson, the participant will be able to: Understand basic capture filters Understand basic display filters Perform basic packet filtering
- 3. Page 3 Chapter Content Capture filters – basics and filter language Display filters – basics and filter language Case studies
- 4. Page 4 Capture Filters Options:Capture Filter options will be in the format: [not] primitive [and|or [not] primitive ...] Filter examples ether host 00:08:15:00:08:15 host 192.168.0.1 tcp port http tcp port 23 and src host 10.0.0.5 Double-Click
- 5. Page 5 Capture Filter Structure A capture filter comes in the format: [not] primitive [and|or [not] primitive ...] A primitive is simply one of the following: [src|dst] host <host> ether [src|dst] host <ehost> gateway host <host> [src|dst] net <net> [{mask <mask>}|{len <len>}] [tcp|udp] [src|dst] port <port> less|greater <length> ip|ether proto <protocol> ether|ip broadcast|multicast <expr> relop <expr>
- 6. Page 6 Basic Filters - Host Filters Capture all packets where host is the destination dst host <host > Capture all packets where host is the source src host <host> host is either the ip address or host name host <host> DescriptionSyntax Examples: Host 194.90.1.5; Host www.ynet.co.il; Src host 10.1.1.1; Dst host 100.1.1.1
- 7. Page 7 Basic Filters - Port Filters Capture all packets where port is the destination port dst port <port > Capture all packets where port is the source src port <port> Capture all packets where port is either the source or destination port <port> DescriptionSyntax Examples: port 80; port 5060; Src port 139; Dst port http
- 8. Page 8 Basic Filters - Network Filters Capture all packets where net is the destination dst net <net > Capture all packets where net is the source src net <net> Capture all packets to/from netnet <net> DescriptionSyntax Examples: Net 192.168.2.0/24; src net 192.168.1.0/24; dst net 12.1.1.1
- 9. Page 9 Byte Offset Notation proto [Offset in bytes from the start of the header:Number of bytes to check] Examples: ip[8:1] Go to byte 8 of the ip header and check one byte (TTL field) tcp[0:2] Go to the start of the tcp header and check 2 bytes (source port) Capture filters examples: http://wiki.wireshark.org/CaptureFilters
- 10. Page 10 Structured Filters A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/or) and optionally preceded by not: [not] primitive [and|or] [not] primitive ... Examples: A capture filter for telnet that captures traffic to and from a particular host tcp port 23 and host 10.0.0.5 Capturing all telnet traffic not from 10.0.0.5 tcp port 23 and not src host 10.0.0.5
- 11. Page 11 Example #1– Capture traffic to www.ynet.co.il Capture filter definition: Host www.ynet.co.il
- 12. Page 12 Examples #2 Capture only traffic to or from IP address 172.18.5.4: host 172.18.5.4 Capture traffic to or from a range of IP addresses: net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0 Capture traffic from a range of IP addresses: src net 192.168.0.0/24 or src net 192.168.0.0 mask 255.255.255.0
- 13. Page 13 Examples #3 Capture traffic to a range of IP addresses: dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0 Capture only DNS (port 53) traffic: port 53 Capture non-HTTP and non-SMTP traffic on your server (both are equivalent): host www.example.com and not (port 80 or port 25) host www.example.com and not port 80 and not port 25
- 14. Page 14 Examples #4 Capture except all ARP and DNS traffic: port not 53 and not arp Capture traffic within a range of ports (tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550) or, with newer versions of libpcap (0.9.1 and later: tcp portrange 1501-1549 Capture only Ethernet type EAPOL: ether proto 0x888e
- 15. Page 15 Examples #5 Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP: ip Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements: not broadcast and not multicast
- 16. Page 16 Chapter Content Capture filters – basics and filter language Display filters – basics and filter language Case studies
- 18. Page 18 Another way to Use Display Filters Right click The field you Wand to filter Field name appears here Choose Prepare Ro Apply filter And choose condition
- 19. Page 19 Details Display filters allow you to concentrate on the packets you are interested in while hiding the currently uninteresting ones. They allow you to select packets by: Protocol The presence of a field The values of fields A comparison between fields …... and a lot more When using a display filter, all packets remain in the capture file. The display filter only changes the display of the capture file but not its content!
- 20. Page 20 Filter Comparison Operators Frame.len <= 0x20 Frame.len ge 0x100 Frame.len < 1518 Frame.len > 64 Ip.src != 10.1.1.5 Ip.src == 10.1.1.5 Example Less then or equal to<=le Greaten then or equal to>=ge Less Than<lt Greater than>gt Not equal!=ne Equal==eq DescriptionC-LikeShortcut
- 21. Page 21 Display Filter Field Types There are several types of filter fields: Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit) Boolean Ethernet address (6 bytes) IPv4 address IPv6 address
- 22. Page 22 Unsigned integer You can express integers in decimal, octal, or hexadecimal. The following display filters are equivalent: Decimal: ip.len le 1500 Octal: ip.len le 02734 Hexadecimal: ip.len le 0x5DC
- 23. Page 23 Boolean A boolean field is present in the protocol decode only if its value is true. For example, tcp.flags.syn is present, and thus true, only if the SYN flag is present in a TCP segment header. Thus the filter expression tcp.flags.syn will select only those packets for which this flag exists, that is, TCP segments where the segment header contains the SYN flag.
- 24. Page 24 Ethernet address (6 bytes) Separators can be a colon (:), dot (.) or dash (-) and can have one or two bytes between separators Examples: eth.dst == ff:ff:ff:ff:ff:ff eth.dst == ff-ff-ff-ff-ff-ff eth.dst == ffff.ffff.ffff
- 25. Page 25 IPv4 address The common filter will be: ip.addr == 192.168.0.1 Classless InterDomain Routing (CIDR) notation can be used to test if an IPv4 address is in a certain subnet. For example, this display filter will find all packets in the 129.111 Class-B network: ip.addr == 129.111.0.0/16
- 26. Page 26 IPv6 address ipv6.addr == ::1 ipv6.addr == 2041:0000:130F:0000:0000:09C0:876A:130B ipv6.addr == 2053:0:130f::9c2:876a:130b ipv6.addr == ::
- 27. Page 27 Combining Expressions not ip tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 ip.scr == 10.0.0.5 or ip.src == 192.1.1.1 ip.src == 10.0.0.5 and tcp.flags.fin Example Logical NOT!not Logical XOR^^xor Logical OR||or Logical AND&&and DescriptionC-LikeShortcut
- 28. Page 28 Substring Operators Wireshark allows you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackets [ ] containing a comma separated list of range specifiers. eth.src[0:3] == 00:00:83 eth.src[1-2] == 00:83 eth.src[:4] == 00:00:83:00 eth.src[4:] == 20:20 eth.src[2] == 83 eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83
- 29. Page 29 The "Filter Expression" dialog box Protocol field to be checked Operator to be performed
- 30. Page 30 Example #6 – Filter Traffic Between Hosts SDSDSD 172.16.100.111 172.16.100.12 Port mirror to be configured from the laptop, to The Server port or The PC port
- 31. Page 31 Example #7 – Filter Traffic Between Hosts ip.addr == 172.16.100.111 and ip.addr == 172.16.100.12
- 32. Page 32 Example #8 – Filter Traffic Between Hosts To ISP Port mirror to be configured from the laptop, to the router port 192.168.101.253
- 33. Page 33 Example #9 – Filter Traffic Between Hosts ip.addr == 192.168.101.253
- 34. Page 34 Example #10 – Filtering ICMP icmp
- 35. Page 35 Example #11 – Filtering Mail Traffic tcp.port == 110
- 36. Page 36 Saving a Display Filter When viewing the saved data, for saving a display filter go to: Analyze Display Filters And you will get: Choose a name and save the filter as defined
- 37. Page 37 Chapter Content Capture filters – basics and filter language Display filters – basics and filter language Case studies
- 38. Page 38 Example #12 - DCERPC DCERPC
- 39. Page 39 Example #13 - DCERPC DCERPC Spoolss runs over DCERPC and therefore presented under this filter
- 40. Page 40 Example #14 - Retransmissions tcp.analysis.retransmission
- 41. Page 41 Example #15 – Zero Window tcp.analysis.zero_window
- 42. Page 42 Summary For more information, technical data and many examples and case studies: http://www.amazon.com/Network-Analysis-Using-Wireshark- Cookbook/dp/1849517649 Thanks!!! Yoram Orzach yoram@ndi-com.com +972-52-4899699