1 / 31

Packets and Protocols

Packets and Protocols. Chapter Five Wireshark Filters. Packets and Protocols Chapter 5. Filters come in two flavors Capture filters Used to filter frames AS they are captured Generally used when the amount of data that can be captured is extremely large (gigabit speed) Display filters

Download Presentation

Packets and Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Packets and Protocols Chapter Five Wireshark Filters

  2. Packets and ProtocolsChapter 5 • Filters come in two flavors • Capture filters • Used to filter frames AS they are captured • Generally used when the amount of data that can be captured is extremely large (gigabit speed) • Display filters • Used to filter the display of the captured data • Generally used when troubleshooting a capture file

  3. Packets and ProtocolsChapter 5 • Data can be filtered via command line captures (Tshark) or via GUI (Wireshark). • If you do not have a pretty good idea of the problem, use an open (unfiltered) capture and sort it afterwards • Improper filters lead to lost data

  4. Packets and ProtocolsChapter 5 • Capture filters (aka tcpdump filters) are not the same as display filters • You can sort on host names or addresses • Hardware addresses • Protocols • Ports • Packet size

  5. Packets and ProtocolsChapter 5 • Filtering on host names or addresses • IP v4 • host 192.168.1.1 • IPv6 • host 2::8100:2:30a:c392:fc5a • Names • host www.sc4.org

  6. Packets and ProtocolsChapter 5 • You can further narrow your search by designating source or destination addresses • src host 192.168.1.1 • dst host 192.168.255.255 • You can also use a shorthand notation to check host addresses without using host: • src 192.168.1.1 • dst 192.168.255.255 • You can filter on an entire network as well • src net 192.168.100.0/24

  7. Packets and ProtocolsChapter 5 • Filtering on hardware addresses • ether host ff:ff:ff:ff:ff:ff • ether src host 00:f9:06:aa:01:03 • ether src 00:f9:06:aa:01:03

  8. Packets and ProtocolsChapter 5 • Filtering on ports • port 80 • tcp port 80 • tcp port http • udp dst port 53 • udp src port 53

  9. Packets and ProtocolsChapter 5 • Logical operators • not is equivalent to ! • and is equivalent to && • or is equivalent to || • Similar to C++ commands • Wireshark is written in C

  10. Packets and ProtocolsChapter 5 • Logical operators in action • not port 53 • host www.sc4.edu and port telnet • port telnet or port ssh • host www.sc4.edu and ( port telnet or port ssh )

  11. Packets and ProtocolsChapter 5 • NOTE: The logical operators and and or have the same precedence, which means that they are analyzed in the order in which they are listed in the capture filter. • If parentheses are not used, the capture filter will test for Telnet packets to or from the host www.sc4.edu, or SSH packets to and from any IP address: host www.sc4.edu and port telnet or port ssh

  12. Packets and ProtocolsChapter 5 • Protocols supported by capture filters

  13. Packets and ProtocolsChapter 5 • You can even limit the capture to individual bytes within a packet • For example, to capture source port info only, use the offset tcp[0:15]

  14. Packets and ProtocolsChapter 5 • Numeric operators add even more flexibility to your capture capabilities

  15. Packets and ProtocolsChapter 5 • Example: • ICMP has several packet types • Echo request • Echo reply • Unreachable, etc… • How can you sort based on the offset (location in the packet) to filter out one or the other packet type?

  16. Packets and ProtocolsChapter 5 icmp[0] == 8 or icmp[0] == 0 • Or you can use ICMP type names rather than ICMP type numbers icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply

  17. Packets and ProtocolsChapter 5 • So you have choices; you can use either the names or numbers of protocol types

  18. Packets and ProtocolsChapter 5 • You can filter on packet size as well • len < 100 • len > 1500

  19. Packets and ProtocolsChapter 5 • Capture filter examples • All HTTP Packets - tcp port 80 • Non-HTTP Packets - not tcp port 80, !tcp port 80, tcp port not 80, or tcp • port !80 • HTTP Browsing to www.wireshark.org - tcp port 80 and dst www.wireshark.org • HTTP Browsing to Hosts Other Than www.wireshark.org - tcp port • 80 and not dst www.wireshark.org • IPX Packets - ipx • IPX Packets Destined for IPX Network 00:01:F0:EE - Not possible, because you cannot retrieve bytes using the ipx keyword • TCP Packets - tcp or ip proto 5 • TCP SYN Packets - tcp[tcpflag] & tcp-syn == tcp-syn • IP Packets with Total Length > 255 - ip[2:2] > 0xff • IP or IPX Packets - ip or ipx

  20. Packets and ProtocolsChapter 5 • Capturing from the command line with Tshark • TShark accepts capture filters on the command-line with the -f option, as shown in this example.

  21. Packets and ProtocolsChapter 5 • Capture options dialogue box – a bit easier to use than command prompt filters

  22. Packets and ProtocolsChapter 5 • For almost every item you see in the protocol tree in the middle pane of Wireshark’s GUI,Wireshark has a field name that you can use in a display filter.

  23. Packets and ProtocolsChapter 5

  24. Packets and ProtocolsChapter 5 • For example, to find .doc at the end of a string, use $:\.doc$

  25. Packets and ProtocolsChapter 5 • Other byte sequenced search examples: • eth.src == 00:09:f6:01:cc:b3 • Source of a specific MAC address • eth.src == picard • Source is a PC called picard • frame contains POST • Frame contains the word POST • frame contains 50:4f:53:54 • Partial MAC address • http contains GET • HTTP GET frames • frame contains 01:00:0c • Searches by OID

  26. Packets and ProtocolsChapter 5 • Other packets info to filter on • Time • frame.time > "Jan 5, 2006 09:13:55" • Misc • http contains "HTTP/1.0"

  27. Packets and ProtocolsChapter 5 • IMPORTANT • Syntax is important • http contains Keep-Alive: 300 and • http contains “Keep-Alive: 300” Will both appear to work but they do not display the same info. Be sure to watch your counters at the bottom of the capture display.

  28. Packets and ProtocolsChapter 5 • You can share filters with other users Look for a “cfilters” and “dfilters” files

  29. Packets and ProtocolsChapter 5 • Multiple occurrences of fields • This can happen in tunneled or encapsulated packets so be aware of where the data is located in each packet!

  30. Packets and ProtocolsChapter 5 • Generic versions of SRC and DST

  31. Packets and ProtocolsChapter 5 • Other uses for display filters Colorize your captures!

More Related