Friday 5 August 2016

Wireshark: Capture Filters and Display Filters

Wireshark has two main filter types - a capture filter that is applied on live captures and display filters that are applied on existing (non-live) captures (which provide you with more granular control.)

Display filters provide a way of extracting relevent information from live packet captures and can be applied in one of two ways:

- Either by defining a filter on the actual interface - hence only capturing specific traffic.

- Or against an pre-existing (offline) capture.

Capture filters are comprised of identifiers and qualifiers:

- Identifiers refer to a specific resourse (e.g. (port) 80 or (host) 8.8.8.8

- Qualifiers comprise of three types: type (host, port, net), dir (source / src or destination / dst) and proto (tcp, udp, icmp etc.)

For example if we wanted to look at TCP traffic orginating from 8.8.8.8 to 1.2.3.4 on port 53 we would issue something like:

ip.src == 8.8.8.8 & ip.dst == 1.2.3.4

We are also able to negate results dependent on a specific host or network:

as well as using other conditional statements such as | (or) - for example to get communication (RX and TX) between two hosts we could issue:

(ip.src == 8.8.8.8 & ip.dst == 1.2.3.4) or (ip.src == 1.2.3.4 & ip.dst == 8.8.8.8)

We can also filter dependent on network (and apply negation with the '!' character) - for example if we wanted to filter all traffic from an internal subnet out to the internet we could issue:

ip.src == 10.0.0.0/8 and ip.dst !=192.168.0.0/16 or ip.dst != 10.0.0.0/8 or ip.dst != 172.16.0.0/12

It may also be useful to filter our non unicast traffic somtimes - by removing the multicast and broadcast traffic:

!eth.dst==ff:ff:ff:ff:ff:ff and !ip.dst==224.0.0.0/4

Capture filters are typically less specific and use a slightly different syntax (similar to that of tcpdump.)

For example to monitor traffic (to and from) a specific host we can issue:

host 10.11.12.13

or a specific network:

net 10.0.0.0/24

And capture network from (not to) a specific network:

src net 10.0.0.0/24

We can also monitor TCP applications e.g.:

host 10.11.12.13 and port 80 and not (port 8080 or port 443)

and also refine the capture to only unicast:

not broadcast and not multicast

0 comments:

Post a Comment