Filters
Notes from Chris Greer course
There is often more than one way to apply filter and ends up with the same result. With the experience, we learn how to be more efficient in filtering for packets matching our criteria.
Capture vs Display filter
Capture and Display filters are two different ways to apply filters in Wireshark. In Display filter, we apply a filter to a PCAP file where all packets have been already been captured (post captured). The filter can be removed, modified, added, etc. On the other hand capture filter is applied pre captured so Wireshark will capture only packets from a specific type, for a specific host, IP address, etc.
Applying a Display filter is a better practice when troubleshooting since over filtering pre captured is risky to miss some important or unexpected packets relevant to our analysis.
Conversation filter
To add a filter for a specific conversation (ex: TCP), we can select one packet from the targeted conversation, then right-click on the packet > Conversation Filter > TCP
Wireshark will only display packets from the targeted conversation. Depending on the network level we want to filter the traffic, we can select Ethernet, IPv4 or TCP exchanges.
A wiser way we can filter for conversation is via the Conversations interface. This interface gives us a high overview of all conversations that are ongoing in this pcap file. We can target more easily which conversations worth more investigation. We can filter the conversations by bytes to identify the conversations that stands out from the others in term of size.
By right clicking on a conversation, we can apply a filter on that conversation and specify the direction of the communication.
Filter by IP address
The most common filter we would want to apply is to filter packet by source and destination IP address.
For example, if we want to only display packets from or to a specific IP address, we can add these filters.
Subnet
We can also filter for traffic coming from or going to a specific subnet. Wireshark supports the CIDR notation.
Once filtered for exchanges on a specific subnet, we might want to list all unique IPs part of that subnet that we captured packets from. We can go in Statistics > Endpoints.
Filter by Protocol
Filtering by protocol is quite easy. We only have to indicate to the filter bar the protocol we want to filter for. For example, here is an example for filtering HTTP packets.
The instructor pointed out that filtering for the protocol tcp.port==80
won't give the same results as filtering for HTTP even though HTTP is associated with the TCP protocol on port 80. Indeed, applying the tcp.port==80
filter will display not only HTTP packets, but also all TCP packets involved in its underlaying transport layer. In the image below, we can observe that the packets associated with the 4 way-handshakes are displayed.
Logic Operators
We can use logical operators to filter out packets from a pcap file.
equal | == |
OR | || |
AND | && |
NOT | ! |
gt | > |
lt | < |
The following filter will exclude all packets related to the specified protocol from the display view.
When we have a filter applied, the save as
option will save all the packets in the pcap file regardless of the filter applied. To pull out the specific packets and save it in a new pcap file we have to choose the File > Export Specified Packets option.
This option allows the user to extract a packet range. For example, if we want to extract from the file only packets #100 to #200 and save it into a new file, we can check the Range button.
When analyzing a pcap file, the fewer packets we have, the easier it is to analyze.
Special Filters
Contains (exact strings)
The filter contains search for a matching pattern. For example the filter below will search for every packet with 'google' specified in the frame. This filter is case sensitive and search for an exact match.
Matches (regular expression)
The filter matches supports regular expression. The matches operator does not care about capitalization.
In the image below, we want to filter for any packets containing the expression "admin" (case insensitive)
In (range)
We can think this operator as include. The in operator will search for any packets including the range specified. In the example below, Wireshark will display all packets with the TCP port in the range specified.
In the example below, we want to filter for all GET and POST requests.
Tips and tricks - Right click filtering
If we want to filter for a specific part of the frame, but we do not know the exact syntax, we can right click on the field in the pcap file and then choose the Prepare as filter options and select the appropriate selector we want. In the example below, we want to filter all GET requests.
Last updated