Network Analysis using Wireshark 5: display filters

Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 1
Network analysis Using Wireshark
Lesson 5:
Display Filters

• By the end of this lesson, the participant will be able to:
▫ Understand basic display filters
▫ Perform basic packet filtering
Lesson Objectives

yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to:

Ways to configure display filters
Simple and structured filters
Focusing on protocol and text strings
Filter macros
Case studies
The dfilters file
Lesson Content
“Wine is constant proof that God loves
us and loves to see us happy.”
Benjamin Franklin

Configure Display Filters
To open display
filters menu click
here

Another way to Use Display Filters
4. Manage
saved filters
1. Add filter
expression
3. Select from
previously used
filters
2. Apply filter
string

Another way to Use Display Filters

• Apply a filter from the packet itself:
From the Packet Itself

Filter macros
Case studies
The dfilters file
Lesson Content
“Well done is better than well said”
Benjamin Franklin

• Display filters allow you to concentrate on the packets you
are interested in while hiding the currently uninteresting
ones. They allow you to select packets by:
▫ Protocol
▫ The presence of a field
▫ The values of fields
• When using a display filter, all packets remain in the capture
file. The display filter only changes the display of the capture
file but not its content!
Details

Filter Comparison Operators
Frame.len <= 0x20
Frame.len ge 0x100
Frame.len < 1518
Frame.len > 64
Ip.src != 10.1.1.5
Ip.src == 10.1.1.5
Example
Less then or equal to<=le
Greater then or equal to>=ge
Less Than<lt
Greater than>gt
Not equal!=ne
Equal==eq
DescriptionC-LikeShortcut

• There are several types of filter fields:
▫ Unsigned/asigned integer (8-bit, 16-bit, 24-bit, 32-bit)
▫ Boolean
▫ Ethernet address (6 bytes)
▫ IPv4 address
▫ IPv6 address
Display Filter Field Types

• You can express integers in decimal, octal, or hexadecimal. The
following display filters are equivalent:
▫ Decimal:
 ip.len le 1500
▫ Octal:
 ip.len le 02734
▫ Hexadecimal:
 ip.len le 0x5DC
Unsigned/Assigned integer

• A boolean field is present in the protocol decode only if its value is
true.
▫ For example, tcp.flags.syn is present, and thus true, only if the SYN flag is
present in a TCP segment header.
• Thus the filter expression tcp.flags.syn will select only those packets
for which this flag exists, that is, TCP segments where the segment
header contains the SYN flag.
Boolean

• Separators can be a colon (:), dot (.) or dash (-) and can have one
or two bytes between separators
• Examples:
▫ eth.dst == ff:ff:ff:ff:ff:ff
▫ eth.dst == ff-ff-ff-ff-ff-ff
▫ eth.dst == ffff.ffff.ffff
Ethernet address (6 bytes)
Byte

• The common filter will be:
▫ ip.addr == 192.168.0.1
• Classless InterDomain Routing (CIDR) notation can be used to
test if an IPv4 address is in a certain subnet.
• For example, this display filter will find all packets in the 129.111
Class-B network:
▫ ip.addr == 129.111.0.0/16
IPv4 address

• IPv6 filters examples:
▫ ipv6.addr == ::1
▫ ipv6.addr == 2041:0000:130F:0000:0000:09C0:876A:130B
▫ ipv6.addr == 2053:0:130f::9c2:876a:130b
▫ ipv6.addr == ::
IPv6 address
YYYY:YYYY:YYYY:YYYY:YYYY:YYYY:YYYY:YYYY
16bitY = 0 to F
• IPv6 address structure:

Combining Expressions
not arp and not dns
eth.dst[0:3] == 0.6.29 xor
eth.src[0:3] == 0.6.29
ip.src == 10.0.0.5 or ip.src ==
192.1.1.1
ip.src == 10.0.0.5 and tcp.flags.fin
Example
Logical NOT!not
Logical XOR^^xor
Logical OR||or
Logical AND&&and
DescriptionC-LikeShortcut
Syntax: Primitive and Primitive and not primitive

• Wireshark allows you to test a field for membership in a
set of values or fields.
• After the field name, use the in operator followed by the
set items surrounded by braces {}.
▫ tcp.port in {80 443 8080}
• This can be considered a shortcut operator, as the
previous expression could have been expressed as:
▫ tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
Membership Operators

Filter macros
Case studies
The dfilters file
Lesson Content
“By failing to prepare, you are preparing
to fail.”
Benjamin Franklin

• Wireshark allows you to select subsequences of a sequence in rather
elaborate ways.
• This is written by writing a parameter to check and then place a pair of
brackets [] containing a (:) or (-) separated list of range specifiers.
• [n:m] or [n-m]  ] will display the m bytes in offset n
Substring Operators
00 8300 00 D8BC
00 8300 00 D8BC
00 8300 00 D8BC
20 8320 00 D8BC
eth.src[0:3] == 00:00:83
eth.src[1:2] == 00:83
eth.src[0:4] == 00:00:83:00
eth.src[4:2] == BC:D8

Filter macros
Case studies
The dfilters file
Lesson Content
“It takes many good deeds to build a good
reputation, and only one bad one to lose it.”
Benjamin Franklin

• Display filters macros are used to create shortcuts for complex
display filters that you can configure once and use later.
Filter Macros

• In order to configure a macro, you give it a name, and you fill in
the text box with the filter string.
• In order to activate the macro, you simply write:
▫ $(macro_name:parameter1;paramater2;parameter3 …)
• Let’s configure a simple filter name test01 that takes the following
parameters as values:
▫ ip.addr == <value> and
▫ tcp.port == <value>
Filter Macros

• This will be a filter that looks for packets from specific network that
goes to http port.
• A macro that takes these two parameters would be:
▫ ip.addr==$1 && tcp. port==$2
• Now, in order to get the filter results for parameters
▫ ip.addr == 10.0.0.4 and
▫ tcp.port == 80
• We should write in the display window bar the string:
▫ ${test01:10.0.0.4;80}
Filter Macros

Filter macros
Case studies
The dfilters file
Lesson Content
“Anyone who doesn't believe in miracles is
not a realist.”
David Ben-Gurion

• Port mirror to be configured from
the laptop, to
▫ The Server port or
▫ The PC port
Example #1:
Filter Traffic Between Hosts
SDSDSD
172.16.100.111
172.16.100.12
ip.addr==172.16.100.111 and ip.addr==172.16.100.12

• Port mirror to be configured from the laptop, to
the router port
Example #2:
Filter Traffic from Specific Network
To ISP
192.168.1.0/24
192.168.1..0/24

Example #3:
Filtering ICMP
icmp

Example #4 – Filtering Mail Traffic
tcp.port == 110

Example #5 - DCERPC
DCERPC

Example #6 - Retransmissions
tcp.analysis.retransmission
1
2
3
4
3

Example #7 – Zero Window
tcp.analysis.zero_window

Filter macros
Case studies
The dfilters file
Lesson Content
Education is what remains after one has
forgotten what one has learned in school.
Albert Einstein

The dfilters File

Summary
• In this lesson we talked about:
▫ Basic display filters configuration
▫ Complex display filters and display filters macro’s
Thanks for your time
Yoram Orzach
yoram@ndi-com.com

yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to:

Network Analysis using Wireshark 5: display filters

More Related Content

What's hot (20)

Similar to Network Analysis using Wireshark 5: display filters (20)

More from Yoram Orzach (11)

Recently uploaded (20)

Network Analysis using Wireshark 5: display filters