Wireshark has two main filter types - a capture filter that is applied on live captures and display filters that are applied on existing (non-live) captures (which provide you with more granular control.)
Display filters provide a way of extracting relevent information from live packet captures and can be applied in one of two ways:
- Either by defining a filter on the actual interface - hence only capturing specific traffic.
- Or against an pre-existing (offline) capture.
Capture filters are comprised of identifiers and qualifiers:
- Identifiers refer to a specific resourse (e.g. (port) 80 or (host) 8.8.8.8
- Qualifiers comprise of three types: type (host, port, net), dir (source / src or destination / dst) and proto (tcp, udp, icmp etc.)
For example if we wanted to look at TCP traffic orginating from 8.8.8.8 to 1.2.3.4 on port 53 we would issue something like:
ip.src == 8.8.8.8 & ip.dst == 1.2.3.4
We are also able to negate results dependent on a specific host or network:
as well as using other conditional statements such as | (or) - for example to get communication (RX and TX) between two hosts we could issue:
(ip.src == 8.8.8.8 & ip.dst == 1.2.3.4) or (ip.src == 1.2.3.4 & ip.dst == 8.8.8.8)
We can also filter dependent on network (and apply negation with the '!' character) - for example if we wanted to filter all traffic from an internal subnet out to the internet we could issue:
ip.src == 10.0.0.0/8 and ip.dst !=192.168.0.0/16 or ip.dst != 10.0.0.0/8 or ip.dst != 172.16.0.0/12
It may also be useful to filter our non unicast traffic somtimes - by removing the multicast and broadcast traffic:
!eth.dst==ff:ff:ff:ff:ff:ff and !ip.dst==224.0.0.0/4
Capture filters are typically less specific and use a slightly different syntax (similar to that of tcpdump.)
For example to monitor traffic (to and from) a specific host we can issue:
host 10.11.12.13
or a specific network:
net 10.0.0.0/24
And capture network from (not to) a specific network:
src net 10.0.0.0/24
We can also monitor TCP applications e.g.:
host 10.11.12.13 and port 80 and not (port 8080 or port 443)
and also refine the capture to only unicast:
not broadcast and not multicast
No comments:
Post a Comment