wireshark | All About Testing

Wirshark : Top 17 Display Filters

AAT Team — Thu, 05 Oct 2017 16:19:54 +0000

Wireshark is a network protocol analyzer. Capture and Display filters are available in the tool. Here is the Wireshark top 17 display filters list, which I have used mostly by analyzing network traffic.

1. Display traffic to and from 192.168.65.129

ip.addr == 192.168.65.129

2. Display tcp and dns packets both

tcp or dns

3. Display traffic with source or destination port as 443

tcp.port == 443

4. tcp.analysis.flags

5. display all protocols other than arp, icmp and dns

!(arp or icmp or dns)

6. Show traffic which contains google

tcp contains google

7. Display http response code of 200 in network traffic

http.response.code == 200

8. Display http request

http.request

9. tcp.flags.syn

10. Show only SMTP (port 25) and ICMP traffic:

 tcp.port eq 25 or icmp

11. Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

12. TCP buffer full -- Source is instructing Destination to stop sending data

 tcp.window_size == 0 && tcp.flags.reset != 1

13.Filter on Windows -- Filter out noise, while watching Windows Client – DC exchanges

 smb || nbns || dcerpc || nbss || dns

14. ! ( ip.addr == 192.168.65.129 )
which is equivalent to
! (ip.src == 192.168.65.129 or ip.dst == 192.168.65.129)

This translates to “pass any traffic except with a source IPv4 address of 192.168.65.129 or a destination IPv4 address of 192.168.65.129”

15.Some filter fields match against multiple protocol fields. For example, “ip.addr” matches against both the IP source and destination addresses in the IP header. The same is true for “tcp.port”, “udp.port”, “eth.addr”, and others. It’s important to note that
ip.addr == 192.168.0.100
is equivalent to
ip.src == 192.168.0.100 or ip.dst == 192.168.0.100

16. Filter out any traffic to or from 10.43.54.65
ip.addr != 192.168.0.100
which is equivalent to
ip.src != 192.168.0.100 or ip.dst != 192.168.0.100

17. This translates to “pass all traffic except for traffic with a source IPv4 address of 10.43.54.65 and a destination IPv4 address of 10.43.54.65”, which isn’t what we wanted. ! ( ip.addr == 10.43.54.65 )
which is equivalent to
! (ip.src == 10.43.54.65 or ip.dst == 10.43.54.65)

This translates to “pass any traffic except with a source IPv4 address of 10.43.54.65 or a destination IPv4 address of 10.43.54.65”.

The post Wirshark : Top 17 Display Filters first appeared on All About Testing.

Wireshark: Difference between Capture filters and Display Filters

AAT Team — Wed, 04 Oct 2017 15:59:14 +0000

Wireshark is a network traffic analyzer that can be used to analyze network traffic. For more information, you can refer to Basic Tutorial on Wireshark.

Capture filters: This type of filter set before start capturing traffic in Wireshark. This type of filter can’t change while capturing traffic. It is generally used for capturing a specific type of traffic.

Example:

Capture only traffic to or from IP address 172.18.5.4:

host 172.18.5.4

Capture traffic to or from a range of IP addresses:

net 192.168.0.0/24

Display Filters: This type of filter is used to reduce the packets which are showing in Wireshark. This type of filter can be changed while capturing traffic. It is generally used for hiding traffic to analyze the specific type of traffic.

Example:

Show only SMTP (port 25) and ICMP traffic:

Display only traffic from port number 25 or ICMP packets

tcp.port eq 25 or ICMP

Display only traffic to or from IP address 192.168.0.87

ip.addr == 192.168.0.87

The post Wireshark: Difference between Capture filters and Display Filters first appeared on All About Testing.

Wireshark: Basic Tutorial

AAT Team — Wed, 04 Oct 2017 15:48:33 +0000

The Wireshark tool is used for analyzing protocols from your desktop. This tool sniffs traffic and provides GUI to analyze packets from the network. It supports major operating systems, including Windows, macOS, Linux, and UNIX. This tool is used by network professionals, security experts, developers, and educators to understand network protocols and analyze traffic in a network. It is available free on the official website as an open-source and is released under the GNU General Public License version 2.

tshark is a command-line tool available for users who like black screens. Remember, tshark is the CLI pendant of Wireshark.

It is a perfect example of disruptive technology in the field of networking. Disruptive technology refers to innovation in any field, and creating a new market, disrupts existing players in that field.

Download Link: https://www.wireshark.org/#download

Basic User Interface

Main features of Wireshark

Deep Packet Inspection of protocols
Live capture and offline analysis
Runs on Windows, Linux, OS X, Solaris, and many others (multi-platform)
Available in both GUI or command mode
Filters are available to separate protocols
Output can be exported to XML, PostScript, CSV, or plain text
Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, and many others
Capture files compressed with gzip can be decompressed on the fly
Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Different coloring rules to identify problems

Conclusion

Wireshark is an awesome network analyzer that helps in understanding and analyzing network traffic. This tool is a one-stop solution to diagnose problems in a network. If you want to use a command-line equivalent tool for the same, use tshark.

tcpdump is another command-line tool for analyzing network protocols.

The post Wireshark: Basic Tutorial first appeared on All About Testing.