36.6 C
Jaipur
Wednesday, May 25, 2022

How to use Filters in Wireshark

Must read

Wireshark is a Free and Open Source Software (FOSS) and it is developed by a community of enthusiastic developers. Wireshark (Formerly Ethereal) is used for capturing and investigating the traffic on a network. With Wireshark one can see what is going on their network: You can see from where the traffic is coming in and where it is going to. If you are working in a production environment, you are going to get a lot of traffic. It will be very cumbersome to inspect this traffic without the knowledge of Wiresharks’s filter functionalities. Using the filters you can see exactly the type of traffic you want and everything else will be removed from the scene.

What will we cover?

In this guide, we are going to explore how to create and efficiently apply filters in Wireshark. Let us get started now.

Introducing Wireshark Filters

Wireshark filters are all about simplifying your packet search. For e.g. if you want to see only the TCP traffic or packets from a specific IP address, you need to apply the proper filters in the filter bar. Wireshark does not understand the straightforward sentences “ filter out the TCP traffic” or “ Show me the traffic from destination X”.  So you need to learn some fancy syntax and rules for applying these filters.

There are basically two types of filters in Wireshark: Capture Filter and Display Filter. There is a difference between the syntax of the two and in the way they are applied. 

Capture filters are applied before the start of the capturing operation. In this way, only that traffic is stored which you are interested to view. This filter cannot be changed after the start of the capture operation.  Display filters on the other hand are applied on all the packets captured. It can be later canceled and changed (It can be applied while a capture is running). 

In the display filter, the capture is actually stored in a trace buffer. Thus it only hides the traffic which does not matter to you and only shows the one you are interested in.

Writing a Capture Filter 

Let us first start with the capture filter. You can find the capture filter on the very first screen after you launch Wireshark: 


The filter will be applied to the selected interface. Another way is to use the Capture menu and select the Options submenu (1).

Capture Menu

Equivalently you can also click the gear icon (2), in either case, the below window will prompt:

Capture Menu Options
In the text box labeled as ‘Enter a capture filter’, we can write our first capture filter. But if you want you can use the bookmark icon to use the pre-made filters.

Capture filters are written in the libpcap filter format. They are built of a sequence of primitive expressions. These expressions are joined by conjunctions (and/or) and can start with a ‘not’. Here is the syntax:

[not] primitive [and|or [not] primitive ...]

To illustrate this, suppose we want to capture UDP traffic from or to host 192.168.18.161. The capture filter expression, in this case, will be:

udp and host 192.168.18.161

Capture Menu Expression
Some of the primitives to use in the above expression can be:

  1. [src|dst] host <host>: Used for filtering on a host IP address or name. It can precede with src|dst to identify the source or destination address.
  2. ether [src|dst] host <ehost>: Used for filtering on Ethernet host addresses. It can also precede with src|dst to identify the source or destination address.
  3. gateway host <host>: Used for filtering packets that have used host as a gateway.
  4. [src|dst] net <net> [{mask <mask>}|{len <len>}]: Used for filtering on network numbers. It can also precede with src|dst to identify the source or destination address.
  5. [tcp|udp] [src|dst] port <port>: Used for filtering on TCP and UDP port numbers. 

You can find all the primitives for the above expression from the list here.

Writing a Display Filter

For writing a display filter, one thing you will need is the knowledge of boolean operators. Yes, you are right, we are talking about the basic AND, OR and NOT operations. Using these we can also combine multiple filter queries into one. For example, if we are looking for TCP traffic and packets utilizing port 80, we can write the filter as:

tcp and tcp.port == 80

Another way is to use the expression:

tcp && tcp.port == 80

Display Filter

Below we have listed commonly used boolean expressions in Display filters:

1. == or eq (Equal operation)

2. && or and ( And operation)

3. || (double pipe) or or (Or operation)

Conclusion

In this guide, we’ve learned about ‘how to use filters in the Wireshark software’. We would recommend you to explore Wireshark filters by performing hands-on practicals. In this way, you can have a better understanding of this tool.  If you are interested, you can explore more about Wireshark by visiting the official website of Wireshark at https://www.wireshark.org.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -

Latest article