Skip to main content

Explain Wireshark Filters


One of the best and must usale features of Wireshark is the Wireshark Capture Filters and Wireshark Display Filters. Filters allow you to view the capture the way you need to see it so you can troubleshoot the issues at hand. Here are several filters to get you started.


Explain Wireshark Filters


Wireshark Capture Filters


Capture filters limit the captured packets by the filter. Meaning if the packets don’t match the filter, Wireshark won’t save them. Here are some examples of capture filters:

host IP-address: this filter limits the capture to traffic to and from the IP address

net 192.168.0.0/24: this filter captures all traffic on the subnet.

dst host IP-address: capture packets sent to the specified host.

port 53: capture traffic on port 53 only.

port not 53 and not arp: capture all traffic except DNS and ARP traffic

Wireshark Display Filters




Wireshark Display Filters change the view of the capture during analysis. After you have stopped the packet capture, you use display filters to narrow down the packets in the Packet List so you can troubleshoot your issue.

The most useful (in my experience) display filter is:

ip.src==IP-address and ip.dst==IP-address

This filter shows you packets from one computer (ip.src) to another (ip.dst). You can also use ip.addr to show you packets to and from that IP. Here are some others:

tcp.port eq 25: This filter will show you all traffic on port 25, which is usually SMTP traffic.

icmp: This filter will show you only ICMP traffic in the capture, most likely they are pings.

ip.addr != IP_address: This filter shows you all traffic except the traffic to or from the specified computer.

Analysts even build filters to detect specific attacks, like this filter to detect the Sasser worm:

ls_ads.opnum==0x09

Labels:

Comments

Post a Comment

Popular posts from this blog

What is STP? - Explain Advantages and Disadvantages

The Spanning Tree Protocol is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. STP is a protocol. It actively monitors all links of the network. To finds a redundant link, it uses an algorithm, known as the STA (spanning-tree algorithm). The STA algorithm first creates a topology database then it finds and disables the redundant links. Once redundant links are disabled, only the STP-chosen links remain active. If a new link is added or an existing link is removed, the STP re-runs the STA algorithm and re-adjusts all links to reflect the change. STP (Spanning Tree Protocol) automatically removes layer 2 switching loops by shutting down the redundant links. A redundant link is an additional link between two switches. A redundant link is usually created for backup purposes. Just like every coin has two sides, a redundant link, along with...
5 comments
Read more

How to Reset Steam Password? – Recover Your Steam Password

Are you suffering with Reset Steam Password? This blog will help you. What is Steam? Steam is the online website for getting the best games for paid. If you are a true game lover then you should have an active account on Steam. Many of people lost their password during the  PC clean-up  or any other circumstances. At that time they have to reset Password of all accounts. Then if you facing issues with the password, you forced to Steam reset password to access the Steam account. We are going to share the guide that how to recover your forgotten Steam Password and make your existing account ready. First of all, you should have enough knowledge about what is Steam and why Steam Account required? Why Steam Account Requires? Before jump into password recovery and Login details, let me clear about why Steam Account required? There are several benefits of this Steam Account from where you can easily download PC games as well as software. Though it will be p...
Post a Comment
Read more