Skip to main content

Basics of Wireshark: Part-2


What is color coding in Wireshark?

The packets within the Wireshark are highlighted with blue, black, and green color. These colors help users to spot the kinds of traffic. it's also called as packet colorization. The all defined coloring rules within the Wireshark are kind of temporary rules and permanent rules.

The temporary created all rules are already there until the program is in active mode or until we quit the in middle program.
The permanent color rules are available until the Wireshark is in use or the following time you run the Wireshark. The steps to use color filters are discussed later during this topic.



Below is the list of filters used in Wireshark:

FiltersDescription
ip.addr
Example- ip.addr==10.10.100.247
ip.src
ip.dst		It is used to specify the IP address as the source or the destination.
This example will filter based on this IP address as a source and a destination.
If we want for a particular source or destination then,
It is used for the source filter.
It is used for the destination.
protocol
Example- dns or http
'Dns and http' is never used.		This command filters based on the protocol.
It requires the packet to be either dns protocol or http protocol and will display the traffic based on this.
We would not use the command 'dns and http' because it requires the packet to be both, dns as well as http, which is impossible.
tcp.port
Example: tcp.port==443		It sets filter based on the specific port number.
It will filter all the packets with this port number.
4. udp.portIt is same as tcp.port. Instead, udp is used.
tcp.analysis.flags
example is shown in fig(5).		Wireshark can flag TCP problems. This command will only display the issues that Wireshark identifies.
Example, packet loss, tcp segment not captured, etc. are some of the problems.
It quickly identifies the problem and is widely used.
6.!()
For example, !(arp or dns or icmp)
This is shown in fig (6).		It is used to filter the list of protocols or applications, in which we are not interested.
It will remove arp, dns, and icmp, and only the remaining will be left or it clean the things that may not be helpful.
Select any packet. Right-click on it and select 'Follow' and then select' TCP stream.' Shown in fig. (7).It is used if you want to work on a single connection on a TCP conversation. Anything related to the single TCP connection will be displayed on the screen.
tcp contains the filter
For example- tcp contains Facebook
Or
udp contains Facebook		It is used to display the packets which contain such words.
In this, Facebook word in any packet in this trace file i.e., finding the devices, which are talking to Facebook.
This command is useful if you are looking for a username, word, etc.
http.request
For the responses or the response code, you can type
http.response.code==200		It will display all the http requests in the trace file.
You can see all the servers, the client is involved.
tcp.flags.syn==1
This is shown in fig (10).
tcp.flags.reset		This will display all the packets with the sync built-in tcp header set to 1.
This will show all the packets with tcp resets.
Labels:

Comments

Post a Comment

Popular posts from this blog

What is STP? - Explain Advantages and Disadvantages

The Spanning Tree Protocol is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. STP is a protocol. It actively monitors all links of the network. To finds a redundant link, it uses an algorithm, known as the STA (spanning-tree algorithm). The STA algorithm first creates a topology database then it finds and disables the redundant links. Once redundant links are disabled, only the STP-chosen links remain active. If a new link is added or an existing link is removed, the STP re-runs the STA algorithm and re-adjusts all links to reflect the change. STP (Spanning Tree Protocol) automatically removes layer 2 switching loops by shutting down the redundant links. A redundant link is an additional link between two switches. A redundant link is usually created for backup purposes. Just like every coin has two sides, a redundant link, along with
5 comments
Read more

What are the Advantages and Disadvantages of TCP/UDP ?? Difference between TCP and UDP

As in previous blog we have define and explain about what is TCP and UDP and from now we are moving ahead with Advantages, Disadvantages and Difference of TCP and UDP but for this you have to know about TCP and UDP hence to understand it go for a What is TCP and UDP . Advantage of TCP Here, are pros/benefits of TCP: It helps you to establish/set up a connection between different types of computers. It operates independently of the operating system. It supports many routing-protocols. It enables the internetworking between the organizations. TCP/IP model has a highly scalable client-server architecture. It can be operated independently. Supports several routing protocols. It can be used to establish a connection between two computers. Disadvantages of TCP Here, are disadvantage of using TCP: TCP never conclude a transmission without all data in motion being explicitly asked. You can't use for broadcast or multicast transmission. TCP has no block boundaries, so you
Post a Comment
Read more