Saturday, August 19, 2017

[Wireshark] Display Filter examples



Wireshark is an essential network analysis tool for network professionals. It is used for network troubleshooting, software analysis, protocol development, and conducting network security review. In order to troubleshoot computer network related problems effectively and efficiently, an in-depth understanding of TCP/IP is absolutely necessary, but you also need to know how to use the Wireshark’s features, so that you can save time and effort while you are troubleshooting.



The basics and the syntax of the Display Filters (also called Post-Filters) are described in the User's Guide.

Syntax:
Protocol.String1.String2
Comparison
Operator
Value
Logical
Operations
Other Expression
Example:
ftp.passive.ip
==
10.10.10.1
xor
icmp.type


Here are Wireshark Display Filter examples!

IP, MAC, TCP
ip.addr==10.10.10.1
ip.addr==192.168.1.10 && ip.addr==192.168.1.20
!(ip.addr==192.168.1.10 && ip.addr==192.168.1.20)
(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139)
ip.src==10.10.10.0/24
eth.addr==00:1b:17:00:01:31
ip.addr==10.10.10.1 && tcp.port==80
tcp.port==80
tcp.port==80 || tcp.port==3389
tcp.dstport==80
eth.dst=ff:ff:ff:ff:ff:ff
ip.addr==255.255.255.255
ip.host contains "imap"

Protocol
arp
bootp
dns
udp
http or dns
!(arp or icmp or dns)

TCP, UDP Flags and Frames
tcp contains facebook
tcp.analysis.retransmission
tcp.flags.syn==1
tcp.flags.reset==1
frame contains "password"
frame contains "password" || frame contains "username"
udp contains 2d:00

HTTP
http.user_agent contains "Mozilla"
http.host contains "facebook"
http.request.full_uri contains "facebook"
http and data-text-lines contains "facebook"
http.request.method==GET or POST
http.request or http.response

sip && rtp


* Tip: You can use English and C-like terms in the same way, they can even be mixed in a filter string.

Table 6.4. Display Filter comparison operators
English
C-like
Description and example
eq
==
Equal. ip.src==10.0.0.5
ne
!=
Not equal. ip.src!=10.0.0.5
gt
>
Greater than. frame.len > 10
lt
<
Less than. frame.len < 128
ge
>=
Greater than or equal to. frame.len ge 0x100
le
<=
Less than or equal to. frame.len <= 0x20
contains

Protocol, field or slice contains a value. sip.To contains "a1762"
matches
~
Protocol or text field match Perl regualar expression. http.host matches "acme\.(org|com|net)"
bitwise_and
&
Compare bit field value. tcp.flags & 0x02

You can combine filter expressions in Wireshark using the logical operators shown in Table 6.5, “Display Filter Logical Operations”

Table 6.5. Display Filter Logical Operations
English
C-like
Description and example
and
&&
Logical AND. ip.src==10.0.0.5 and tcp.flags.fin
or
||
Logical OR. ip.scr==10.0.0.5 or ip.src==192.1.1.1
xor
^^
Logical XOR. tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
not
!
Logical NOT. not llc
[…]

See “Substring Operator” below.
in

See “Membership Operator” below.


PacketLife provide a nice cheat sheet for Wireshark Display Filter. You can download it here.

A full list of Wireshark's display filters (Display Filter Reference) is available here.

2 comments:

Oliver Jones said...


This post will assist the internet visitors for creating new website or even a weblog from start to end. craigslist san antonio

Oliver Jones said...


Ahaa, its good dialogue concerning this piece of writing at this place at this webpage, I have read all that, so at this time me also commenting at this place. craigslist las vegas