Packets and Protocols

Packets and ProtocolsPackets and Protocols

Chapter FiveChapter Five

Wireshark FiltersWireshark Filters

Packets and ProtocolsPackets and ProtocolsChapter 5Chapter 5

Filters come in two flavorsFilters come in two flavors– Capture filtersCapture filters

Used to filter frames AS they are capturedUsed to filter frames AS they are capturedGenerally used when the amount of data Generally used when the amount of data

that can be captured is extremely large that can be captured is extremely large (gigabit speed)(gigabit speed)

– Display filtersDisplay filtersUsed to filter the display of the captured Used to filter the display of the captured

datadataGenerally used when troubleshooting a Generally used when troubleshooting a

capture file capture file

Data can be filtered via command Data can be filtered via command line captures (Tshark) or via GUI line captures (Tshark) or via GUI (Wireshark).(Wireshark).

If you do not have a pretty good idea If you do not have a pretty good idea of the problem, use an open of the problem, use an open (unfiltered) capture and sort it (unfiltered) capture and sort it afterwardsafterwards– Improper filters lead to lost dataImproper filters lead to lost data


Capture filters (aka Capture filters (aka tcpdumptcpdump filters) filters) are not the same as display filtersare not the same as display filters– You can sort on host names or You can sort on host names or

addresses addresses – Hardware addressesHardware addresses– ProtocolsProtocols– PortsPorts– Packet sizePacket size


Filtering on host names or addressesFiltering on host names or addresses– IP v4

host 192.168.1.1

– IPv6host 2::8100:2:30a:c392:fc5a

– Nameshost www.sc4.org


You can further narrow your search by designating source or destination addresses– src host 192.168.1.1– dst host 192.168.255.255

You can also use a shorthand notation to check host addresses without using host:– src 192.168.1.1– dst 192.168.255.255

You can filter on an entire network as well– src net 192.168.100.0/24


Filtering on hardware addressesFiltering on hardware addresses– ether host ff:ff:ff:ff:ff:ff– ether src host 00:f9:06:aa:01:03– ether src 00:f9:06:aa:01:03


Filtering on portsFiltering on ports– port 80– tcp port 80– tcp port http– udp dst port 53– udp src port 53


Logical operatorsLogical operators– not is equivalent to !– and is equivalent to &&– or is equivalent to ||

Similar to C++ commands– Wireshark is written in C


Logical operators in actionLogical operators in action– not port 53 – host www.sc4.edu and port telnet– port telnet or port ssh– host www.sc4.edu and ( port telnet or

port ssh )


NOTE: The logical operators and and or have the same precedence, which means that they are analyzed in the order in which they are listed in the capture filter. – If parentheses are not used, the capture filter will test

for Telnet packets to or from the host www.sc4.edu, or SSH packets to and from any IP address:

host www.sc4.edu and port telnet or port ssh



Protocols supported by capture filtersProtocols supported by capture filters

aarp AppleTalk Address Resolution Protocolisis (or is-is) Intermediate System-to-Intermediate

System

ah Authentication Header iso International Organization for Standardization

arp Address Resolution Protocol lat Local Area Transport

atalk AppleTalk mopdl Maintenance Operation Protocol

clnp Connectionless Network Protocol moprc Maintenance Operation Protocol

decnet Digital Equipment Corporation Network protocol suite netbeui NetBIOS Extended User Interface

esis (or es-is) End System-to-Intermediate System pim Protocol Independent Multicast

esp Encapsulating Security Payload rarp Reverse Address Resolution Protocol

icmp Internet Control Message Protocol sca Systems Communication Architecture

icmp6 Internet Control Message Protocol, for IPv6 sctp Stream Control Transmission Protocol

igmp Internet Group Management Protocol stp Spanning Tree Protocol

igrp Interior Gateway Routing Protocol tcp Transmission Control Protocol

ip Internet Protocol udp User Datagram Protocol

ip6 Internet Protocol version 6 vrrp Virtual Router Redundancy Protocol

ipx Internetwork Packet Exchange

You can even limit the capture to individual bytes You can even limit the capture to individual bytes within a packetwithin a packet


For example, to capture source port info only, use For example, to capture source port info only, use the offset tcp[0:15]the offset tcp[0:15]

Numeric operators add even more Numeric operators add even more flexibility to your capture capabilitiesflexibility to your capture capabilities


Example:Example:– ICMP has several packet typesICMP has several packet types

Echo requestEcho requestEcho replyEcho replyUnreachable, etc…Unreachable, etc…

– How can you sort based on the offset How can you sort based on the offset (location in the packet) to filter out one (location in the packet) to filter out one or the other packet type?or the other packet type?


icmp[0] == 8 or

icmp[0] == 0 Or you can use ICMP type names rather than ICMP type

numbersicmp[icmptype] == icmp-echo

or

icmp[icmptype] == icmp-echoreply


So you have So you have choices; you can choices; you can use either the use either the names or numbers names or numbers of protocol typesof protocol types


You can filter on packet size as wellYou can filter on packet size as well– len < 100len < 100– len > 1500len > 1500


Capture filter examplesCapture filter examples


• All HTTP Packets - tcp port 80• Non-HTTP Packets - not tcp port 80, !tcp port 80, tcp port not 80, or tcpport !80• HTTP Browsing to www.wireshark.org - tcp port 80 and dst www.wireshark.org• HTTP Browsing to Hosts Other Than www.wireshark.org - tcp port80 and not dst www.wireshark.org• IPX Packets - ipx• IPX Packets Destined for IPX Network 00:01:F0:EE - Not possible, because you cannot retrieve bytes using the ipx keyword• TCP Packets - tcp or ip proto 5• TCP SYN Packets - tcp[tcpflag] & tcp-syn == tcp-syn• IP Packets with Total Length > 255 - ip[2:2] > 0xff• IP or IPX Packets - ip or ipx

Capturing from the command line Capturing from the command line with Tsharkwith Tshark– TShark accepts capture filters on the

command-line with the -f option, as shown in this example.


Capture Capture options options dialogue dialogue box – a bit box – a bit easier to easier to use than use than command command prompt prompt filtersfilters


For almost every item you see in the protocol tree in the middle pane of Wireshark’s GUI,Wireshark has a field name that you can use in a display filter.


For example, to find .doc at the end of a string, use $:\.doc$


Other byte sequenced search examples:Other byte sequenced search examples:– eth.src == 00:09:f6:01:cc:b3

Source of a specific MAC address– eth.src == picard

Source is a PC called picard– frame contains POST

Frame contains the word POST– frame contains 50:4f:53:54

Partial MAC address– http contains GET

HTTP GET frames– frame contains 01:00:0c

Searches by OID


Other packets info to filter onOther packets info to filter on– TimeTime

frame.time > "Jan 5, 2006 09:13:55"

– MiscMisc http contains "HTTP/1.0"


IMPORTANTIMPORTANT– Syntax is importantSyntax is important

http contains Keep-Alive: 300and and

http contains “Keep-Alive: 300”

Will both appear to work but they do not Will both appear to work but they do not display the same info. Be sure to watch display the same info. Be sure to watch your counters at the bottom of the your counters at the bottom of the capture display.capture display.


You can share filters with other usersYou can share filters with other users


Look for a “cfilters” and “dfilters” filesLook for a “cfilters” and “dfilters” files

Multiple occurrences of fieldsMultiple occurrences of fields– This can happen in tunneled or This can happen in tunneled or

encapsulated packets so be aware of encapsulated packets so be aware of where the data is located in each where the data is located in each packet!packet!


Generic versions of SRC and DSTGeneric versions of SRC and DST


Other uses for display filtersOther uses for display filters


Colorize your captures!Colorize your captures!

Packets and Protocols

Documents

Transcript of Packets and Protocols