Wireshark
Filtering Packets
Information related to Packet filtering is as follows:
Filtering a Cap File
dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25
Wireshark Common Filters
Operators
| Description | English | Alias | C-like | Example |
|---|---|---|---|---|
| Equal (any if more than one) | eq | any_eq | == | ip.src == 10.0.0.5 |
| Not equal (all if more than one) | ne | all_ne | != | ip.src != 10.0.0.5 |
| Equal (all if more than one) | all_eq | === | ip.src === 10.0.0.5 | |
| Not equal (any if more than one) | any_ne | !== | ip.src !== 10.0.0.5 | |
| Greater than | gt | > | frame.len > 10 | |
| Less than | lt | < | frame.len < 128 | |
| Greater than or equal to | ge | >= | frame.len ge 0x100 | |
| Less than or equal to | le | <= | frame.len <= 0x20 | |
| Protocol, field or slice contains a value | contains | sip.To contains "a1762" | ||
| Protocol or text field matches a Perl-compatible regular expression | matches | ~ | http.host matches "acme\\.(org|com|net)" |
Combining Expressions
| Description | English | C-like | Example |
|---|---|---|---|
| Logical AND | and | && | ip.src==10.0.0.5 and tcp.flags.fin |
| Logical OR | or | || | ip.src==10.0.0.5 or ip.src==192.1.1.1 |
| Logical XOR | xor | ^^ | tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 |
| Logical NOT | not | ! | not llc |
Membership Operator
- Below are equivalent:
tcp.port in {80, 443, 8080} --> tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
http.request.method in {"HEAD", "GET"}
ip.addr in {10.0.0.5 .. 10.0.0.9, 192.168.1.1..192.168.1.9}
tcp.port in {443,4430..4434}
- More Details: Reference
| Description | Filter |
|---|---|
| Sets a filter for any packet with 10.0.0.1, as either the source or dest | ip.addr == 10.0.0.1 |
| Sets a conversation filter between the two defined IP addresses | ip.addr==10.0.0.1 && ip.addr==10.0.0.2 |
| Sets a filter to display all http and dns | http or dns |
| Sets a filter for any TCP packet with 4000 as a source or dest port | tcp.port==4000 |
| Displays all TCP resets | tcp.flags.reset==1 |
| Display all SYN packets | tcp.flags.syn==1 |
| Filter packets using Identification Field (across multiple traces) | ip.id==518 |
| Displays all HTTP GET requests | http.request |
| Displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID |
tcp contains traffic |
| Masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest |
!(arp or icmp or dns) |
| Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset | udp contains 33:27:58 |
| Displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss |
tcp.analysis.retransmission |
| Fragmented Traffic | ip.flags.mf == 1 or ip.frag_offset > 0 |
| ICMP Fragmentation needed packets | icmp.type==3 and icmp.code==4 |
| Combination of above two | ip[0,9,20:2]==4501:0304||ip[6:2]&3fff |
| Starting and Ending sessions | tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0) |
- SSL Traffic Filters
Client Hello:
ssl.handshake.type == 1
Server Hello:
ssl.handshake.type == 2
NewSessionTicket:
ssl.handshake.type == 4
Certificate:
ssl.handshake.type == 11
CertificateRequest
ssl.handshake.type == 13
ServerHelloDone:
ssl.handshake.type == 14
Note: “ServerHellpDone” means full-handshake TLS session.
Cipher Suites:
ssl.handshake.ciphersuite
SSL handshake message types:
0 HelloRequest 1 ClientHello 2 ServerHello 4 NewSessionTicket 8 EncryptedExtensions (TLS 1.3 only) 11 Certificate 12 ServerKeyExchange 13 CertificateRequest 14 ServerHelloDone 15 CertificateVerify 16 ClientKeyExchange 20 Finished
Wireshark Column Filters
| Value to display | Filter |
|---|---|
| TTL | ip.ttl |
| Flags | tcp.flags |
| SEQ | tcp.seq |
| ACK | tcp.ack |
| MSS | tcp.options.mss_val |
| In-Flight | tcp.analysis.bytes_in_flight |
| Payload | tcp.len |
| Window | tcp.window_size |
| Content-Length | http.content_length_header |
Advanced Packet Filtering
Use Case:
I am analyzing an SMB issue. I have 50 PCAP files, each of 100 MB, generated by the intermediate devices. I am not sure which all files contain the interesting traffic. Searching each file manually using wireshark is hectic. Client addresses are 1.1.1.1 and 2.2.2.2. Server address is 3.3.3.3. Protocol is SMB2 (port 445). We can use Tshark or TCPDump for this exercise. Tshakr is slow in Linux & TCPDump is very fast.
Wireshark Filter:
((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb
List all Pcap files using any of the below commands:
find . -type f | egrep "All.pcap" find . -type f | egrep ".pcap" find . -type f | egrep "*.pcap" find . -type f | grep ".pcap" find . -type f | grep "pcap"
List interesting traffic from all the PCAP files:
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb' ; echo -e "\n"; done
Filter out errors:
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)'
Filter out errors and save output to text file in background:
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' > errors.txt &
Show Timestamps in the output and save it to a text file:
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done > smb-time.txt a absolute time (local time in your time zone, actual time the packet was captured) ad absolute with date u Absolute UTC time ud Absolute UTC time with date
Search for keywords in the text files created along with traces:
for i in `find . -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock
More Filters
- Filter traffic in time range
- Show traffic from 10:27 to 10:29
tshark -r trace1.cap -t ud | egrep -E '2017-07-25 10:2[7-9].'
- Show traffic from 10:27 to 10:29
 This filter is not tested successfully yet.
|
tshark -r trace1.cap -t ud '(frame.time >= "July 25, 2017 10:26:00.0") && (frame.time == "July 25, 2017 10:30:00.0")'
- Decode SSL encrypted Traffic using Private Key
| This filter is not tested successfully yet.
|
tshark -r trace1.cap -t ud -o ssl.keys_list:"192.168.3.206","443","http","/home/aman/Downloads/Trace/trace.sslkeys"
- Decode SSL encrypted Traffic using Pre Master Secret Key
| This filter is not tested successfully yet.
|
tshark -r trace1.cap -t ud -o ssl.keys_list:/home/aman/Downloads/Trace/trace.sslkeys
Misc
- In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage.
- In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured.
Non-Root Capture in Ubuntu
sudo apt-get install libcap2-bin sudo groupadd wireshark sudo usermod -a -G wireshark user newgrp wireshark sudo chgrp wireshark /usr/bin/dumpcap sudo chmod 750 /usr/bin/dumpcap sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
Verification:
getcap /usr/bin/dumpcap => /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
If still unable to capture:
sudo dpkg-reconfigure wireshark-common sudo chmod +x /usr/bin/dumpcap
Tshark
- Installation:
sudo apt-get install tshark
- Filter Traffic from capture file:
tshark -r lotsapackets.cap -R dns -w trace.cap tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap
- Information about the capture file:
capinfos web.cap
- Split capture file:
editcap -c 50000 lotsapackets.cap fewerpackets.cap
- Extract data from any HTTP requests:
-T Specify to extract Fields -e Mention which fields to Extract
tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent google.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
- Extracts both the DNS query and the response address:
tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.a google.com 216.58.197.46,216.239.32.10,216.239.34.10,216.239.36.10
Even more details:
tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.a Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127
- Tshark can use stdout to manipulate/clean output:
tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123
- Tshark 2.4 is required for some features, Install it in Ubuntu:
sudo add-apt-repository ppa:dreibh/ppa sudo apt-get update && sudo apt-get install wireshark tshark
- Extract files from an SMB stream:
tshark -nr test.pcap --export-objects smb,tmpfolder
- Extract files from HTTP stream:
tshark -nr test.pcap --export-objects http,tmpfolder
- Detailed output:
Figure out the Frame number:
tshark -r ~/dhcp.pcap bootp.option.dhcp == 1
View Full details:
tshark -r ~/dhcp.pcap -V frame.number == 12
- References
{{#widget:DISQUS
|id=networkm
|uniqid=Wireshark
|url=https://aman.awiki.org/wiki/Wireshark
}}