Wireshark
Filtering Packets
Information related to Packet filtering is as follows:
Filtering a Cap File
dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25
Wireshark Common Filters
| Description | Filter |
|---|---|
| Sets a filter for any packet with 10.0.0.1, as either the source or dest | ip.addr == 10.0.0.1 |
| Sets a conversation filter between the two defined IP addresses | ip.addr==10.0.0.1 && ip.addr==10.0.0.2 |
| Sets a filter to display all http and dns | http or dns |
| Sets a filter for any TCP packet with 4000 as a source or dest port | tcp.port==4000 |
| Displays all TCP resets | tcp.flags.reset==1 |
| Display all SYN packets | tcp.flags.syn==1 |
| Filter packets using Identification Field (across multiple traces) | ip.id==518 |
| Displays all HTTP GET requests | http.request |
| Displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID |
tcp contains traffic |
| Masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest |
!(arp or icmp or dns) |
| Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset | udp contains 33:27:58 |
| Displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss |
tcp.analysis.retransmission |
| Fragmented Traffic | ip.flags.mf == 1 or ip.frag_offset > 0 |
| ICMP Fragmentation needed packets | icmp.type==3 and icmp.code==4 |
| Combination of above two | ip[0,9,20:2]==4501:0304||ip[6:2]&3fff |
| Starting and Ending sessions | tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0) |
Wireshark Column Filters
| Value to display | Filter |
|---|---|
| TTL | ip.ttl |
| Flags | tcp.flags |
| SEQ | tcp.seq |
| ACK | tcp.ack |
| MSS | tcp.options.mss_val |
| In-Flight | tcp.analysis.bytes_in_flight |
| Payload | tcp.len |
| Window | tcp.window_size |
| Content-Length | http.content_length_header |