310 likes | 415 Views
Packets and Protocols. Chapter Five Wireshark Filters. Packets and Protocols Chapter 5. Filters come in two flavors Capture filters Used to filter frames AS they are captured Generally used when the amount of data that can be captured is extremely large (gigabit speed) Display filters
E N D
Packets and Protocols Chapter Five Wireshark Filters
Packets and ProtocolsChapter 5 • Filters come in two flavors • Capture filters • Used to filter frames AS they are captured • Generally used when the amount of data that can be captured is extremely large (gigabit speed) • Display filters • Used to filter the display of the captured data • Generally used when troubleshooting a capture file
Packets and ProtocolsChapter 5 • Data can be filtered via command line captures (Tshark) or via GUI (Wireshark). • If you do not have a pretty good idea of the problem, use an open (unfiltered) capture and sort it afterwards • Improper filters lead to lost data
Packets and ProtocolsChapter 5 • Capture filters (aka tcpdump filters) are not the same as display filters • You can sort on host names or addresses • Hardware addresses • Protocols • Ports • Packet size
Packets and ProtocolsChapter 5 • Filtering on host names or addresses • IP v4 • host 192.168.1.1 • IPv6 • host 2::8100:2:30a:c392:fc5a • Names • host www.sc4.org
Packets and ProtocolsChapter 5 • You can further narrow your search by designating source or destination addresses • src host 192.168.1.1 • dst host 192.168.255.255 • You can also use a shorthand notation to check host addresses without using host: • src 192.168.1.1 • dst 192.168.255.255 • You can filter on an entire network as well • src net 192.168.100.0/24
Packets and ProtocolsChapter 5 • Filtering on hardware addresses • ether host ff:ff:ff:ff:ff:ff • ether src host 00:f9:06:aa:01:03 • ether src 00:f9:06:aa:01:03
Packets and ProtocolsChapter 5 • Filtering on ports • port 80 • tcp port 80 • tcp port http • udp dst port 53 • udp src port 53
Packets and ProtocolsChapter 5 • Logical operators • not is equivalent to ! • and is equivalent to && • or is equivalent to || • Similar to C++ commands • Wireshark is written in C
Packets and ProtocolsChapter 5 • Logical operators in action • not port 53 • host www.sc4.edu and port telnet • port telnet or port ssh • host www.sc4.edu and ( port telnet or port ssh )
Packets and ProtocolsChapter 5 • NOTE: The logical operators and and or have the same precedence, which means that they are analyzed in the order in which they are listed in the capture filter. • If parentheses are not used, the capture filter will test for Telnet packets to or from the host www.sc4.edu, or SSH packets to and from any IP address: host www.sc4.edu and port telnet or port ssh
Packets and ProtocolsChapter 5 • Protocols supported by capture filters
Packets and ProtocolsChapter 5 • You can even limit the capture to individual bytes within a packet • For example, to capture source port info only, use the offset tcp[0:15]
Packets and ProtocolsChapter 5 • Numeric operators add even more flexibility to your capture capabilities
Packets and ProtocolsChapter 5 • Example: • ICMP has several packet types • Echo request • Echo reply • Unreachable, etc… • How can you sort based on the offset (location in the packet) to filter out one or the other packet type?
Packets and ProtocolsChapter 5 icmp[0] == 8 or icmp[0] == 0 • Or you can use ICMP type names rather than ICMP type numbers icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply
Packets and ProtocolsChapter 5 • So you have choices; you can use either the names or numbers of protocol types
Packets and ProtocolsChapter 5 • You can filter on packet size as well • len < 100 • len > 1500
Packets and ProtocolsChapter 5 • Capture filter examples • All HTTP Packets - tcp port 80 • Non-HTTP Packets - not tcp port 80, !tcp port 80, tcp port not 80, or tcp • port !80 • HTTP Browsing to www.wireshark.org - tcp port 80 and dst www.wireshark.org • HTTP Browsing to Hosts Other Than www.wireshark.org - tcp port • 80 and not dst www.wireshark.org • IPX Packets - ipx • IPX Packets Destined for IPX Network 00:01:F0:EE - Not possible, because you cannot retrieve bytes using the ipx keyword • TCP Packets - tcp or ip proto 5 • TCP SYN Packets - tcp[tcpflag] & tcp-syn == tcp-syn • IP Packets with Total Length > 255 - ip[2:2] > 0xff • IP or IPX Packets - ip or ipx
Packets and ProtocolsChapter 5 • Capturing from the command line with Tshark • TShark accepts capture filters on the command-line with the -f option, as shown in this example.
Packets and ProtocolsChapter 5 • Capture options dialogue box – a bit easier to use than command prompt filters
Packets and ProtocolsChapter 5 • For almost every item you see in the protocol tree in the middle pane of Wireshark’s GUI,Wireshark has a field name that you can use in a display filter.
Packets and ProtocolsChapter 5 • For example, to find .doc at the end of a string, use $:\.doc$
Packets and ProtocolsChapter 5 • Other byte sequenced search examples: • eth.src == 00:09:f6:01:cc:b3 • Source of a specific MAC address • eth.src == picard • Source is a PC called picard • frame contains POST • Frame contains the word POST • frame contains 50:4f:53:54 • Partial MAC address • http contains GET • HTTP GET frames • frame contains 01:00:0c • Searches by OID
Packets and ProtocolsChapter 5 • Other packets info to filter on • Time • frame.time > "Jan 5, 2006 09:13:55" • Misc • http contains "HTTP/1.0"
Packets and ProtocolsChapter 5 • IMPORTANT • Syntax is important • http contains Keep-Alive: 300 and • http contains “Keep-Alive: 300” Will both appear to work but they do not display the same info. Be sure to watch your counters at the bottom of the capture display.
Packets and ProtocolsChapter 5 • You can share filters with other users Look for a “cfilters” and “dfilters” files
Packets and ProtocolsChapter 5 • Multiple occurrences of fields • This can happen in tunneled or encapsulated packets so be aware of where the data is located in each packet!
Packets and ProtocolsChapter 5 • Generic versions of SRC and DST
Packets and ProtocolsChapter 5 • Other uses for display filters Colorize your captures!