Post on 08-Jan-2016
description
Packets and ProtocolsPackets and Protocols
Chapter FiveChapter Five
Wireshark FiltersWireshark Filters
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Filters come in two flavorsFilters come in two flavors– Capture filtersCapture filters
Used to filter frames AS they are capturedUsed to filter frames AS they are capturedGenerally used when the amount of data Generally used when the amount of data
that can be captured is extremely large that can be captured is extremely large (gigabit speed)(gigabit speed)
– Display filtersDisplay filtersUsed to filter the display of the captured Used to filter the display of the captured
datadataGenerally used when troubleshooting a Generally used when troubleshooting a
capture file capture file
Data can be filtered via command Data can be filtered via command line captures (Tshark) or via GUI line captures (Tshark) or via GUI (Wireshark).(Wireshark).
If you do not have a pretty good idea If you do not have a pretty good idea of the problem, use an open of the problem, use an open (unfiltered) capture and sort it (unfiltered) capture and sort it afterwardsafterwards– Improper filters lead to lost dataImproper filters lead to lost data
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Capture filters (aka Capture filters (aka tcpdumptcpdump filters) filters) are not the same as display filtersare not the same as display filters– You can sort on host names or You can sort on host names or
addresses addresses – Hardware addressesHardware addresses– ProtocolsProtocols– PortsPorts– Packet sizePacket size
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Filtering on host names or addressesFiltering on host names or addresses– IP v4
host 192.168.1.1
– IPv6host 2::8100:2:30a:c392:fc5a
– Nameshost www.sc4.org
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
You can further narrow your search by designating source or destination addresses– src host 192.168.1.1– dst host 192.168.255.255
You can also use a shorthand notation to check host addresses without using host:– src 192.168.1.1– dst 192.168.255.255
You can filter on an entire network as well– src net 192.168.100.0/24
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Filtering on hardware addressesFiltering on hardware addresses– ether host ff:ff:ff:ff:ff:ff– ether src host 00:f9:06:aa:01:03– ether src 00:f9:06:aa:01:03
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Filtering on portsFiltering on ports– port 80– tcp port 80– tcp port http– udp dst port 53– udp src port 53
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Logical operatorsLogical operators– not is equivalent to !– and is equivalent to &&– or is equivalent to ||
Similar to C++ commands– Wireshark is written in C
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Logical operators in actionLogical operators in action– not port 53 – host www.sc4.edu and port telnet– port telnet or port ssh– host www.sc4.edu and ( port telnet or
port ssh )
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
NOTE: The logical operators and and or have the same precedence, which means that they are analyzed in the order in which they are listed in the capture filter. – If parentheses are not used, the capture filter will test
for Telnet packets to or from the host www.sc4.edu, or SSH packets to and from any IP address:
host www.sc4.edu and port telnet or port ssh
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Protocols supported by capture filtersProtocols supported by capture filters
aarp AppleTalk Address Resolution Protocolisis (or is-is) Intermediate System-to-Intermediate
System
ah Authentication Header iso International Organization for Standardization
arp Address Resolution Protocol lat Local Area Transport
atalk AppleTalk mopdl Maintenance Operation Protocol
clnp Connectionless Network Protocol moprc Maintenance Operation Protocol
decnet Digital Equipment Corporation Network protocol suite netbeui NetBIOS Extended User Interface
esis (or es-is) End System-to-Intermediate System pim Protocol Independent Multicast
esp Encapsulating Security Payload rarp Reverse Address Resolution Protocol
icmp Internet Control Message Protocol sca Systems Communication Architecture
icmp6 Internet Control Message Protocol, for IPv6 sctp Stream Control Transmission Protocol
igmp Internet Group Management Protocol stp Spanning Tree Protocol
igrp Interior Gateway Routing Protocol tcp Transmission Control Protocol
ip Internet Protocol udp User Datagram Protocol
ip6 Internet Protocol version 6 vrrp Virtual Router Redundancy Protocol
ipx Internetwork Packet Exchange
You can even limit the capture to individual bytes You can even limit the capture to individual bytes within a packetwithin a packet
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
For example, to capture source port info only, use For example, to capture source port info only, use the offset tcp[0:15]the offset tcp[0:15]
Numeric operators add even more Numeric operators add even more flexibility to your capture capabilitiesflexibility to your capture capabilities
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Example:Example:– ICMP has several packet typesICMP has several packet types
Echo requestEcho requestEcho replyEcho replyUnreachable, etc…Unreachable, etc…
– How can you sort based on the offset How can you sort based on the offset (location in the packet) to filter out one (location in the packet) to filter out one or the other packet type?or the other packet type?
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
icmp[0] == 8 or
icmp[0] == 0 Or you can use ICMP type names rather than ICMP type
numbersicmp[icmptype] == icmp-echo
or
icmp[icmptype] == icmp-echoreply
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
So you have So you have choices; you can choices; you can use either the use either the names or numbers names or numbers of protocol typesof protocol types
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
You can filter on packet size as wellYou can filter on packet size as well– len < 100len < 100– len > 1500len > 1500
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Capture filter examplesCapture filter examples
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
• All HTTP Packets - tcp port 80• Non-HTTP Packets - not tcp port 80, !tcp port 80, tcp port not 80, or tcpport !80• HTTP Browsing to www.wireshark.org - tcp port 80 and dst www.wireshark.org• HTTP Browsing to Hosts Other Than www.wireshark.org - tcp port80 and not dst www.wireshark.org• IPX Packets - ipx• IPX Packets Destined for IPX Network 00:01:F0:EE - Not possible, because you cannot retrieve bytes using the ipx keyword• TCP Packets - tcp or ip proto 5• TCP SYN Packets - tcp[tcpflag] & tcp-syn == tcp-syn• IP Packets with Total Length > 255 - ip[2:2] > 0xff• IP or IPX Packets - ip or ipx
Capturing from the command line Capturing from the command line with Tsharkwith Tshark– TShark accepts capture filters on the
command-line with the -f option, as shown in this example.
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Capture Capture options options dialogue dialogue box – a bit box – a bit easier to easier to use than use than command command prompt prompt filtersfilters
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
For almost every item you see in the protocol tree in the middle pane of Wireshark’s GUI,Wireshark has a field name that you can use in a display filter.
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
For example, to find .doc at the end of a string, use $:\.doc$
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Other byte sequenced search examples:Other byte sequenced search examples:– eth.src == 00:09:f6:01:cc:b3
Source of a specific MAC address– eth.src == picard
Source is a PC called picard– frame contains POST
Frame contains the word POST– frame contains 50:4f:53:54
Partial MAC address– http contains GET
HTTP GET frames– frame contains 01:00:0c
Searches by OID
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Other packets info to filter onOther packets info to filter on– TimeTime
frame.time > "Jan 5, 2006 09:13:55"
– MiscMisc http contains "HTTP/1.0"
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
IMPORTANTIMPORTANT– Syntax is importantSyntax is important
http contains Keep-Alive: 300and and
http contains “Keep-Alive: 300”
Will both appear to work but they do not Will both appear to work but they do not display the same info. Be sure to watch display the same info. Be sure to watch your counters at the bottom of the your counters at the bottom of the capture display.capture display.
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
You can share filters with other usersYou can share filters with other users
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Look for a “cfilters” and “dfilters” filesLook for a “cfilters” and “dfilters” files
Multiple occurrences of fieldsMultiple occurrences of fields– This can happen in tunneled or This can happen in tunneled or
encapsulated packets so be aware of encapsulated packets so be aware of where the data is located in each where the data is located in each packet!packet!
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Generic versions of SRC and DSTGeneric versions of SRC and DST
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Other uses for display filtersOther uses for display filters
Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5
Colorize your captures!Colorize your captures!