Wireshark general
Wireshark is a free and open-source packet analyzer. This tool is used for network troubleshooting, analysis,
communication and software protocol development and education. The original software were named Ehtereal, in May 2006.
Later it was renamed to Wireshark due to trademark issues.
Wireshark uses pcap to capture packets. It runs on several platforms like GNU/Linux, OS X, BSD, Solaris,
some other Unix-like operating systems, and Microsoft Windows.
There is also a terminal-based version (non-GUI) called TShark.
Here I’d like to introduce some important filter options in wireshark.
It’s very hard to find exactly the right packets, you are looking for, in a hugh amount of data.
The following charts are a compendium of several websites.
My aim for these post was, to bring the most important commands of one page.
&nb
Wireshark Homepage
1. Display comparison operators
English | C-like | Description and example |
eq | == | Equal ip.src==10.10.0.5 |
ne | != | Not equal ip.src!=10.10.0.5 |
gt | > | Greater than frame.len > 20 |
lt | < | Less than frame.len < 256 |
ge | >= | Greater than or equal to frame.len >= 0x200 |
le | <= | Less than or equal to frame.len <= 0x30 |
2. Wireshark display filters examples
English | C-like | Description and example |
eq | == | Equal ip.src==10.10.10.5 |
ne | != | Not equal ip.src!=10.10.10.5 |
gt | > | Greater than frame.len > 10 |
lt | < | Less than frame.len < 256 |
ge | >= | Greater than or equal to frame.len >= 0x200 |
le | <= | Less than or equal to frame.len <= 0x30 |
3. Display Filter Field Types
Type | Example |
Unsigned integer(8-bit, 16- bit,24-bit, 32-bit) |
You can express integers in decimal, octal, or hexadecimal. The following display filters are equivalent:
ip.len le 1500
ip.len le 02734 ip.len le 0x5dc |
Signed integer (8-bit, 16-bit, 24-bit, 32-bit) | A boolean field is present in the protocol decode only if its value is true. For example, tcp.flags.syn is present, and thus true, only if the SYN flag is present in a TCP segment header.
Thus the filter expression tcp.flags.syn will select only those packets for which this flag exists, that is, TCP segments where the segment header contains the SYN flag. Similarly, to find source-routed token ring packets, use a filter expression of tr.sr. |
Ethernet address (6 bytes) | Separators can be a colon (:), dot (.) or dash (-) and can have one or two bytes between separators:
eth.dst == ff:ff:ff:ff:ff:ff
eth.dst == ff-ff-ff-ff-ff-ff eth.dst == ffff.ffff.ffff |
IPv4 address | ip.addr == 192.168.0.1
Classless InterDomain Routing (CIDR) notation can be used to test if an IPv4 address is in a certain subnet. For example, this display filter will find all packets in the 129.111 Class-B network: ip.addr == 129.111.0.0/16 |
IPv6 address | ipv6.addr == ::1 |
String (text) | http.request.uri == “https://www.wireshark.org/” |
4. Display Filter Logical Operations
English | C-like | Description and example |
and | && | Logical AND. `ip.src==10.0.0.5 and tcp.flags.fin` |
or | || | Logical OR. `ip.scr==10.0.0.5 or ip.src==192.1.1.1` |
xor | ^^ | Logical XOR. `tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29` |
not | ! | Logical NOT. `not llc` |
Substring Operator. Wireshark allows you to select subsequences of a sequence in rather elaborate ways. After a label you can place a pair of brackets [ ] containing a comma separated list of range specifiers.
eth.src[0:3] == 00:00:83
The example above uses the n:m format to specify a single range. In this case n is the beginning offset and m is the length of the range being specified. eth.src[1-2] == 00:83
The example above uses the n-m format to specify a single range. In this case n is the beginning offset and m is the ending offset. eth.src[:4] == 00:00:83:00
The example above uses the :m format, which takes everything from the beginning of a sequence to offset m. It is equivalent to 0:m eth.src[4:] == 20:20
The example above uses the n: format, which takes everything from offset n to the end of the sequence. eth.src[2] == 83
The example above uses the n format to specify a single range. In this case the element in the sequence at offset n is selected. This is equivalent to n:1. eth.src[0:3,1-2,:4,4:,2] ==
00:00:83:00:83:00:00:83:00:20:20:83 Wireshark allows you to string together single ranges in a comma separated list to form compound ranges as shown above. |
||
5. A common mistake
-
Using the != operator on combined expressions like eth.addr, ip.addr, tcp.port, and udp.port will probably not work as expected.
Often people use a filter string to display something like ip.addr == 1.2.3.4 which will display all packets containing the IP address 1.2.3.4.
Then they use ip.addr != 1.2.3.4 to see all packets not containing the IP address 1.2.3.4 in it. Unfortunately, this does not do the expected.
Instead, that expression will even be true for packets where either source or destination IP address equals 1.2.3.4. The reason for this, is that the expression ip.addr != 1.2.3.4 must be read as “the packet contains a field named ip.addr with a value different from 1.2.3.4”. As an IP datagram contains both a source and a destination address, the expression will evaluate to true whenever at least one of the two addresses differs from 1.2.3.4.
If you want to filter out all packets containing IP datagrams to or from IP address 1.2.3.4, then the correct filter is !(ip.addr == 1.2.3.4) as it reads “show me all the packets for which it is not true that a field named ip.addr exists with a value of 1.2.3.4”, or in other words, “filter out all packets for which there are no occurrences of a field named ip.addr with the value 1.2.3.4”.
6. More Examples
-
Show only SMTP (port 25) and ICMP traffic:
Show only traffic in the LAN (192.168.x.x), between workstations and servers — no Internet:
TCP buffer full — Source is instructing Destination to stop sending data
Filter on Windows — Filter out noise, while watching Windows Client – DC exchanges
Sasser worm: –What sasser really did–
Match packets containing the (arbitrary) 3-byte sequence 0x81, 0x60, 0x03 at the beginning of the UDP payload, skipping the 8-byte UDP header.
Note that the values for the byte sequence implicitly are in hexadecimal only. (Useful for matching homegrown packet protocols.)
The “slice” feature is also useful to filter on the vendor identifier part (OUI) of the MAC address, see the Ethernet page for details.
Thus you may restrict the display to only packets from a specific device manufacturer. E.g. for DELL machines only:
Thus you may restrict the display to only packets from a specific device manufacturer. E.g. for DELL machines only:
It is also possible to search for characters appearing anywhere in a field or protocol by using the matches operator.
Match packets that contains the 3-byte sequence 0x81, 0x60, 0x03 anywhere in the UDP header or payload:
Match packets where SIP To-header contains the string “a1762” anywhere in the header:
The matches operator makes it possible to search for text in string fields and byte sequences using a regular expression, using Perl regular expression syntax.Note: Wireshark needs to be built with libpcre in order to be able to use the matches operator.
Match HTTP requests where the last characters in the uri are the characters “gl=se”:
Note: The $ character is a PCRE punctuation character that matches the end of a string, in this case the end of http.request.uri field.
Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
Gotchas
Some filter fields match against multiple protocol fields. For example, “ip.addr” matches against both the IP source and destination addresses in the IP header. The same is true for “tcp.port”, “udp.port”, “eth.addr”, and others. It’s important to note that
is equivalent to
This can be counterintuitive in some cases. Suppose we want to filter out any traffic to or from 10.43.54.65. We might try the following:
which is equivalent to
This translates to “pass all traffic except for traffic with a source IPv4 address of 10.43.54.65 and a destination IPv4 address of 10.43.54.65”,
which isn’t what we wanted.
Instead we need to negate the expression, like so:
which is equivalent to
This translates to “pass any traffic except with a source IPv4 address of 10.43.54.65 or a destination IPv4 address of 10.43.54.65”,
which is what we wanted.