|
|
Line 198: |
Line 198: |
|
|
|
|
|
==Wireshark Common Filters== |
|
==Wireshark Common Filters== |
|
|
{| class="wikitable" |
|
|
|
|
|
|- |
⚫ |
Sets a filter for any packet with 10.0.0.1, as either the source or dest |
|
|
|
! Description !! Filter |
|
ip.addr == 10.0.0.1 |
|
|
|
|- |
|
|
|
|
⚫ |
|Sets a filter for any packet with 10.0.0.1, as either the source or dest || ip.addr == 10.0.0.1 |
⚫ |
Sets a conversation filter between the two defined IP addresses : |
|
|
|
|- |
|
ip.addr==10.0.0.1 && ip.addr==10.0.0.2 |
|
|
⚫ |
|Sets a conversation filter between the two defined IP addresses || ip.addr==10.0.0.1 && ip.addr==10.0.0.2 |
|
|
|
|
|
|- |
|
Sets a filter to display all http and dns: |
|
|
http or dns
|
|
|Sets a filter to display all http and dns || http or dns |
|
|
|- |
|
|
|
|
Sets a filter for any TCP packet with 4000 as a source or dest port: |
|
|Sets a filter for any TCP packet with 4000 as a source or dest port || tcp.port==4000 |
|
|
|- |
|
tcp.port==4000 |
|
|
⚫ |
|Displays all TCP resets || tcp.flags.reset==1 |
|
|
|
|
|
|- |
⚫ |
|
|
|
⚫ |
|Displays all HTTP GET requests || http.request |
|
tcp.flags.reset==1 |
|
|
|
|- |
|
|
|
|
⚫ |
|Displays all TCP packets that contain the word ‘traffic’. <br/>Excellent when searching on a specific string or user ID || tcp contains traffic |
⚫ |
Displays all HTTP GET requests : |
|
|
|
|- |
|
http.request |
|
|
⚫ |
|Masks out arp, icmp, dns, or whatever other protocols may be background noise. <br/>Allowing you to focus on the traffic of interest || !(arp or icmp or dns) |
|
|
|
|
|
|- |
⚫ |
Displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID : |
|
|
⚫ |
|Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset || udp contains 33: 27:58 |
|
tcp contains traffic |
|
|
|
|- |
|
|
|
|
⚫ |
|Displays all retransmissions in the trace. <br/>Helps when tracking down slow application performance and packet loss || tcp.analysis.retransmission |
⚫ |
Masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest : |
|
|
|
|- |
|
!(arp or icmp or dns) |
|
|
⚫ |
|Fragmented Traffic || ip.flags.mf == 1 or ip.frag_offset > 0 |
|
|
|
|
|
|- |
⚫ |
Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset: |
|
|
⚫ |
|ICMP Fragmentation needed packets || icmp.type==3 and icmp.code==4 |
|
udp contains 33:27:58 |
|
|
|
|- |
|
|
|
|
⚫ |
|Combination of above two || ip[0,9,20:2]==4501:0304||ip[6:2]&3fff |
⚫ |
Displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss : |
|
|
|
|- |
|
tcp.analysis.retransmission |
|
|
⚫ |
|Starting and Ending sessions || tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0) |
|
|
|
|
|
|} |
|
Fragmented Traffic: |
|
⚫ |
ip.flags.mf == 1 or ip.frag_offset > 0 |
|
|
|
|
⚫ |
ICMP Fragmentation needed packets : |
|
|
icmp.type==3 and icmp.code==4 |
|
|
|
|
|
Combination of above two: |
|
⚫ |
ip[0,9,20:2]==4501:0304||ip[6:2]&3fff |
|
|
|
|
|
Starting and Ending sessions: |
|
⚫ |
tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0) |
|
|
|
|
|
<br /> |
|
<br /> |
|
|
|
|