Saturday, August 19, 2017

[Wireshark] Display Filter examples



Wireshark is an essential network analysis tool for network professionals. It is used for network troubleshooting, software analysis, protocol development, and conducting network security review. In order to troubleshoot computer network related problems effectively and efficiently, an in-depth understanding of TCP/IP is absolutely necessary, but you also need to know how to use the Wireshark’s features, so that you can save time and effort while you are troubleshooting.



The basics and the syntax of the Display Filters (also called Post-Filters) are described in the User's Guide.

Syntax:
Protocol.String1.String2
Comparison
Operator
Value
Logical
Operations
Other Expression
Example:
ftp.passive.ip
==
10.10.10.1
xor
icmp.type


Here are Wireshark Display Filter examples!

IP, MAC, TCP
ip.addr==10.10.10.1
ip.addr==192.168.1.10 && ip.addr==192.168.1.20
!(ip.addr==192.168.1.10 && ip.addr==192.168.1.20)
(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139)
ip.src==10.10.10.0/24
eth.addr==00:1b:17:00:01:31
ip.addr==10.10.10.1 && tcp.port==80
tcp.port==80
tcp.port==80 || tcp.port==3389
tcp.dstport==80
eth.dst=ff:ff:ff:ff:ff:ff
ip.addr==255.255.255.255
ip.host contains "imap"

Protocol
arp
bootp
dns
udp
http or dns
!(arp or icmp or dns)

TCP, UDP Flags and Frames
tcp contains facebook
tcp.analysis.retransmission
tcp.flags.syn==1
tcp.flags.reset==1
frame contains "password"
frame contains "password" || frame contains "username"
udp contains 2d:00

HTTP
http.user_agent contains "Mozilla"
http.host contains "facebook"
http.request.full_uri contains "facebook"
http and data-text-lines contains "facebook"
http.request.method==GET or POST
http.request or http.response

sip && rtp


* Tip: You can use English and C-like terms in the same way, they can even be mixed in a filter string.

Table 6.4. Display Filter comparison operators
English
C-like
Description and example
eq
==
Equal. ip.src==10.0.0.5
ne
!=
Not equal. ip.src!=10.0.0.5
gt
>
Greater than. frame.len > 10
lt
<
Less than. frame.len < 128
ge
>=
Greater than or equal to. frame.len ge 0x100
le
<=
Less than or equal to. frame.len <= 0x20
contains

Protocol, field or slice contains a value. sip.To contains "a1762"
matches
~
Protocol or text field match Perl regualar expression. http.host matches "acme\.(org|com|net)"
bitwise_and
&
Compare bit field value. tcp.flags & 0x02

You can combine filter expressions in Wireshark using the logical operators shown in Table 6.5, “Display Filter Logical Operations”

Table 6.5. Display Filter Logical Operations
English
C-like
Description and example
and
&&
Logical AND. ip.src==10.0.0.5 and tcp.flags.fin
or
||
Logical OR. ip.scr==10.0.0.5 or ip.src==192.1.1.1
xor
^^
Logical XOR. tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
not
!
Logical NOT. not llc
[…]

See “Substring Operator” below.
in

See “Membership Operator” below.


PacketLife provide a nice cheat sheet for Wireshark Display Filter. You can download it here.

A full list of Wireshark's display filters (Display Filter Reference) is available here.

Saturday, August 12, 2017

The 10 most powerful companies in enterprise networking



    Here's our ranking of the top 10 network-gear vendors that serve corporate needs


    1. Cisco
    Cisco maintains a 60% market share in the routing and switching market, according to the most recent numbers from IDC.

    1. HPE/Aruba
    Lately, Aruba’s been pushing into the core switching market, releasing new hardware to go with its ArubaOS-CX operating system, which it bills as an all-in-one solution for visibility and management for an increasingly IoT-heavy enterprise network.

    1. Juniper
    Juniper clawed out 3.5% annual growth in the switching and routing market in 2016, according to IDC.

    1. Huawei
    Huawei’s share of the WLAN market grew 77% between 2015 and 2016, according to the latest available numbers from IDC. 

    1. Arista
    Arista’s latest releases – new (merchant silicon!) hardware in its R series and software upgrades – have been lauded as among the most capable on the market.

    Arista’s new solutions sets the standard for cloud scale

    1. VMware
    VMware extended its potential use cases for NSX in February by rolling out NSX-T 1.1, a version of the software that works with non-VMware cloud and virtualization environments.

    1. Riverbed
    The company’s latest acquisition – of edge wireless gear manufacturer Xirrus – signals an aggressive shift of direction, with Riverbed executives making bellicose noises about challenging Cisco in certain WLAN markets at a company event in April.

    1. Netscount
    It’s still going through some consolidation, given the 2015 deal that saw it combine with Fluke Networks, Arbor Networks and VSS Monitoring in a complicated not-actually-a-merger.

    The combined company has a huge market presence in Network Performance Monitoring and Diagnostics (NPMD, and is one of the top vendors for hyperscale data centers. It’s one of just three leaders in Gartner’s most recent NPMD Magic Quadrant, despite the fact that it’s suing Gartner over a previous report.

    NetScout announced that it had reached a milestone in the integration of its real-time information platform with Arbor’s threat-analysis tool, strengthening its network monitoring and security capabilities.

    Gartner says NetScout has the biggest NPMD revenues of anybody in the market, between $500 million and $750 million per year. 

    1. Extreme Networks
    The name makes it sound like a company that markets energy drinks, but Extreme Networks is suddenly a company with an impressively complete portfolio of enterprise networking offerings.
    Having bought up Brocade’s data-center business from Broadcom, nabbed Avaya’s networking business and acquired Zebra Technologies' LAN business in 2016, Extreme’s existing switching and routing now forms the basis of a surprise up-and-comer on the enterprise networking scene.

    1. Dell/EMC
    While the company’s hardware may not have the same reputation as some of its competitors’, the fact that a wide range of different software can be run on it means that there’s a great deal of flexibility – a strong value proposition for users looking to embrace more virtualized network technologies. Pretty good fit for a company that also technically owns VMware, although the latter firm still operates with a high degree of independence.

    Dell’s using both its investments in VMware and its own open networking gear to offer an attractive option to companies that want to get into advanced technologies like hyperconverged infrastructure.


Monday, March 12, 2012

Include and Exclude text strings in IOS Configuration

In many cases, Include and Exclude filterings are very useful to filter the output of a show command to match a specific expression. Filtering is especially useful, when displaying a large configuration file. In this case, it is helpful to display sections of the configuration file without having to enter multiple commands to gather the related configuration information. 

Please see ‘Show Command Section Filer’ at this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtshfltr.html
You can learn how to use this filtering expressions from the above URL.

show include
Filters show command output so that it displays only lines that contain a particular regular expression.

show exclude
Filters show command output so that it excludes lines that contain a particular regular expression.

For example, You just see the interfaces list from the configuration file with “interface”.

Catalyst6509#sho run | i interface    (= show running-config | include interface)
mls flow ip interface-full
interface Loopback0
interface Port-channel101
interface Port-channel102
interface Port-channel103
interface GigabitEthernet1/1
interface GigabitEthernet1/2
interface GigabitEthernet1/3

You may want to see the interfaces status “up” only as below.

Catalyst6509#sho ip int br | e down   (= show ip interface brief | exclude down)
Interface                  IP-Address      OK? Method Status                Protocol          
Vlan100                    10.10.100.2     YES NVRAM  up                    up      
Vlan101                    10.10.101.2     YES NVRAM  up                    up      
Vlan111                    10.10.102.2     YES NVRAM  up                    up        
GigabitEthernet1/1         unassigned      YES unset  up                    up      
GigabitEthernet1/2         unassigned      YES unset  up                    up      
GigabitEthernet1/3         unassigned      YES unset  up                    up    

You use the ‘+’, ‘-’ and ‘/’, when running a “show run” or “show start” command.
As you may guess, + sign means ‘include’, - sign means ‘exclude’ and / (slash) sign means ‘search’.

So, type +interface to get the same output as “sho run | i interface” command.
After you type the command “show run”, you just type ‘+interace’ on the screen output (it will be overlapped --More-- at the bottom of the page).

Here is more complex, but useful tip!

The ‘-’ sign is very useful if you have many Access Control Lists (ACLs) in the configuration file.
When you see the configuration file with ‘show run” command, it displays long pages due to ACL lines.
After you type the command “show run”, just type ‘-permit|deny’ on the screen output.
This type is the same output as “sho run | e permit|deny’.
With this tip, you can see the whole configuration without long ACL lines.

And ‘/’ is useful too, when you want to see specific section of the configuration file.
The forward slash (/) character lets you find the first occurrence of the given string.
For example, just type ‘/router ospf’, after you type the command “show run”.
The screen output will be jumped to ‘router ospf’ section as soon as you type ‘/router ospf’.