Saturday, August 19, 2017

Wireshark Display Filter Examples

Wireshark is an essential network analysis tool for network professionals. It is used for network troubleshooting, software analysis, protocol development, and conducting network security review. In order to troubleshoot computer network related problems effectively and efficiently, an in-depth understanding of TCP/IP is absolutely necessary, but you also need to know how to use the Wireshark’s features, so that you can save time and effort while you are troubleshooting.



The basics and the syntax of the Display Filters (also called Post-Filters) are described in the User's Guide.

Syntax:
Protocol.String1.String2
Comparison
Operator
Value
Logical
Operations
Other Expression
Example:
ftp.passive.ip
==
10.10.10.1
xor
icmp.type


Here are Wireshark Display Filter examples!

  • IP, MAC, TCP

ip.addr==10.10.10.1
ip.addr==192.168.1.10 && ip.addr==192.168.1.20
!(ip.addr==192.168.1.10 && ip.addr==192.168.1.20)
(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139)
ip.src==10.10.10.0/24
eth.addr==00:1b:17:00:01:31
ip.addr==10.10.10.1 && tcp.port==80
tcp.port==80
tcp.port==80 || tcp.port==3389
tcp.dstport==80
eth.dst=ff:ff:ff:ff:ff:ff
ip.addr==255.255.255.255
ip.host contains "imap"

  • Protocol

arp
bootp
dns
dns && dns.qry.name matches "wireshark.org"
tcp
udp
http or dns
-> Displays all HTTP and DNS

!(arp or icmp or dns)
-> Displays only interesting traffic by not displaying background protocols.


  • TCP, UDP Flags and Frames

tcp contains facebook
-> Displays all TCP packets that contain the word 'facebook.' Useful when searching on a specific string or user ID.

tcp.analysis.retransmission
tcp.analysis.flags
tcp.flags.syn==1 
tcp.flags.reset==1
-> Displays all TCP resets

frame contains "password"
frame contains "password" || frame contains "username"
udp contains 2d:00

  • HTTP

http.request
-> Displays all HTTP GET requests

http.user_agent contains "Mozilla"
http.host contains "facebook"
http.request.full_uri contains "facebook"
http and data-text-lines contains "facebook"
http.request.method==GET or POST
http.request or http.response
sip && rtp


* Tip: You can use English and C-like terms in the same way, they can even be mixed in a filter string.

Table 6.4. Display Filter comparison operators

English
C-like
Description and example
eq
==
Equal. ip.src==10.0.0.5
ne
!=
Not equal. ip.src!=10.0.0.5
gt
>
Greater than. frame.len > 10
lt
<
Less than. frame.len < 128
ge
>=
Greater than or equal to. frame.len ge 0x100
le
<=
Less than or equal to. frame.len <= 0x20
contains

Protocol, field or slice contains a value. sip.To contains "a1762"
matches
~
Protocol or text field match Perl regualar expression. http.host matches "acme\.(org|com|net)"
bitwise_and
&
Compare bit field value. tcp.flags & 0x02

You can combine filter expressions in Wireshark using the logical operators shown in Table 6.5, “Display Filter Logical Operations”

Table 6.5. Display Filter Logical Operations

English
C-like
Description and example
and
&&
Logical AND. ip.src==10.0.0.5 and tcp.flags.fin
or
||
Logical OR. ip.scr==10.0.0.5 or ip.src==192.1.1.1
xor
^^
Logical XOR. tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
not
!
Logical NOT. not llc
[…]

See “Substring Operator” below.
in

See “Membership Operator” below.


PacketLife provide a nice cheat sheet for Wireshark Display Filter. You can download it here.

A full list of Wireshark's display filters (Display Filter Reference) is available here.


No comments: