As you can see it in the first Wireshark tutorials, it is extremely easy to and to analyze the network.
A very common problem when you launch Wireshark with the default settings is that you will get too much information on the screen and thus will not find the information you are looking for.
Too much information kills the information.
That's why filters are so important, they will help us to target, in the prolific logs, the data you are looking for.
-
- |
Capture filters: Used to select the data to record in the logs. They are defined before starting the capture Display filters: Used to search inside the captured logs. They can be modified while data is captured. |
So should I use the capture or the display filter?
The goals of the two filters are different.
The capture filter is used as a first large filter to limit the size of captured data to avoid generating a log too big.
The display filter is much more powerful (and complex); it will permit you to search exactly the data you want.
The syntaxes of the two types of filters are completely different. We will present them in the following pages:
1. 2.
1. CAPTURE FILTERS
The capture filter syntax is the same as the one used by programs using the Lipcap (Linux) or Winpcap (Windows) library like the famous . The capture filter must be set before launching the Wiershark capture, which is not the case for the display filters that can be modified at any time during the capture.
The steps to configure a capture filter are the following:
- select capture -> options.
- Fill the "capture filter" field or click on the "capture filter" button to give a name to your filter to reuse it for subsequent captures.
- Click on Start to capture data.
Syntax: |
|
Protocol |
|
Direction |
|
Host(s) |
|
Value |
|
Logical Operations |
|
Other expression |
Example: |
|
tcp |
|
dst |
|
10.1.1.1 |
|
80 |
|
and |
|
tcp dst 10.2.2.2 3128 |
Protocol:
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.
Direction:
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied.
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".
Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".
Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".
Examples:
Displays packets with destination TCP port 3128.
Displays packets with source IP address equals to 10.1.1.1.
Displays packets with source or destination IP address equals to 10.1.1.1.
Displays packets with source UDP or TCP ports in the 2000-2500 range.
Displays everything except icmp packets. (icmp is typically used by the ping tool)
src host 10.7.2.12 and not dst net 10.200.0.0/16 |
Displays packets with source IP address equals to 10.7.2.12 and in the same time not with the destination IP network 10.200.0.0/16.
(src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8 |
Displays packets with source IP address 10.4.1.12 or source network 10.6.0.0/16, the result is then concatenated with packets having destination TCP portrange from 200 to 10000 and destination IP network 10.0.0.0/8.
Notes:
The backslash "\" sign is used when a keyword is used as a value.
"ether proto \ip" (is equivalent to "ip").
This will target IP protocols.
"ip proto \icmp" (is equivalent to "icmp").
This will target icmp pakets typically used by the ping utility.
The "multicast" and "broadcast" keywords can also be used after "ip" or "ether".
"no broadcast" is useful when you want to exclude broadcast requests.
Check the for information about the capture filters syntax.
Other capture filters examples can be found in the .
2.
The display filter is used to search inside captured data obtained with a capture filter.
Its search capabilities are more extended than those of the capture filter and it is not necessary to restart the capture when you need to change your filter.
Syntax: |
|
Protocol |
. |
String 1 |
. |
String 2 |
|
Comparison operator |
|
Value |
|
Logical Operations |
|
Other expression |
Example: |
|
ftp |
|
passive |
|
ip |
|
== |
|
10.2.3.4 |
|
xor |
|
icmp.type |
Protocol:
A large number of protocols, located between layers two and seven of the OSI model, is available. They can be seen when you click on the "Expression..." button in the main screen.
Some examples are: IP,TCP,DNS,SSH
Supported protocols with a little description can also be consulted as indicated below:
The Wireshark website provides explanations about .
String1, String2 (Optional settings):
Sub protocol categories inside the protocol.
To find them, look for a protocol and then click on the "+" character.
Comparison operators:
Six comparison operators are available:
English format: |
C like format: |
Meaning: |
eq |
==
|
Equal |
ne
|
!=
|
Not equal |
gt
|
>
|
Greater than |
lt
|
<
|
Less than |
ge
|
>=
|
Greater or equal |
le
|
<=
|
Less or equal |
Logical expressions:
English format: |
C like format: |
Meaning: |
and |
&&
|
Logical AND |
or
|
||
|
Logical OR |
xor
|
^^
|
Logical XOR |
not
|
!
|
Logical NOT |
The logical "XOR" expression, well known by programmers, is used as an exclusive alternation. When used between two conditions in a filter, the result will be printed on the screen only if one of the two conditions is fulfilled but not both like for the "OR" expression.
Let's take an example with the following display filter:
"tcp.dstport 80 xor tcp.dstport 1025"
Only packets with TCP destination port 80 or TCP source port 1025 (but not both!) will be displayed on the screen as the result.
Example:
snmp || dns || icmp |
Display the SNMP or DNS or ICMP traffics. |
Displays the packets with source or destination IP address equals to 10.1.1.1.
ip.src != 10.1.2.3 or ip.dst != 10.4.5.6 |
Displays the packets with a source IP address different from 10.1.2.3 or with a destination IP different from 10.4.5.6.
In other words, the displayed packets will have:
Source IP address: anything but 10.1.2.3, destination IP address: anything
and
Source IP address: anything, destination IP address: anything but 10.4.5.6
ip.src != 10.1.2.3 and ip.dst != 10.4.5.6 |
Displays the packets with source IP different from 10.1.2.3 and in the same time with destination IP different from 10.4.5.6
In other words, the displayed packets will have:
Source IP address: anything but 10.1.2.3 and destination IP address: anything but 10.4.5.6
tcp.port == 25 |
Display packets with TCP source or destination port 25. |
tcp.dstport == 25 |
Display packets with TCP destination port 25. |
tcp.flags |
Display packets having a TCP flags |
tcp.flags.syn == 0x02 |
Display packets with a TCP SYN flag. |
If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red.
|
Correct syntax |
|
Wrong snythax |
Supplementary information about the display filters can be found on the or on the .