Wireshark
Filtering Packets
Information related to Packet filtering is as follows:
Filtering a Cap File
dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25
Wireshark Common Filters
Description | Filter |
---|---|
Sets a filter for any packet with 10.0.0.1, as either the source or dest | ip.addr == 10.0.0.1 |
Sets a conversation filter between the two defined IP addresses | ip.addr==10.0.0.1 && ip.addr==10.0.0.2 |
Sets a filter to display all http and dns | http or dns |
Sets a filter for any TCP packet with 4000 as a source or dest port | tcp.port==4000 |
Displays all TCP resets | tcp.flags.reset==1 |
Display all SYN packets | tcp.flags.syn==1 |
Filter packets using Identification Field (across multiple traces) | ip.id==518 |
Displays all HTTP GET requests | http.request |
Displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID |
tcp contains traffic |
Masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest |
!(arp or icmp or dns) |
Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset | udp contains 33:27:58 |
Displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss |
tcp.analysis.retransmission |
Fragmented Traffic | ip.flags.mf == 1 or ip.frag_offset > 0 |
ICMP Fragmentation needed packets | icmp.type==3 and icmp.code==4 |
Combination of above two | ip[0,9,20:2]==4501:0304||ip[6:2]&3fff |
Starting and Ending sessions | tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0) |
Wireshark Column Filters
Value to display | Filter |
---|---|
TTL | ip.ttl |
Flags | tcp.flags |
SEQ | tcp.seq |
ACK | tcp.ack |
MSS | tcp.options.mss_val |
In-Flight | tcp.analysis.bytes_in_flight |
Payload | tcp.len |
Window | tcp.window_size |
Content-Length | http.content_length_header |