Packets and Protocols - SC4 CIS Student Sites
Download
Report
Transcript Packets and Protocols - SC4 CIS Student Sites
Packets and Protocols
Chapter Five
Wireshark Filters
Packets and Protocols
Chapter 5
Filters
come in two flavors
– Capture filters
Used
to filter frames AS they are captured
Generally used when the amount of data
that can be captured is extremely large
(gigabit speed)
– Display filters
Used
to filter the display of the captured
data
Generally used when troubleshooting a
capture file
Packets and Protocols
Chapter 5
Data
can be filtered via command
line captures (Tshark) or via GUI
(Wireshark).
If you do not have a pretty good idea
of the problem, use an open
(unfiltered) capture and sort it
afterwards
– Improper filters lead to lost data
Packets and Protocols
Chapter 5
Capture
filters (aka tcpdump filters)
are not the same as display filters
– You can sort on host names or
addresses
– Hardware addresses
– Protocols
– Ports
– Packet size
Packets and Protocols
Chapter 5
Filtering
on host names or addresses
– IP v4
host
192.168.1.1
– IPv6
host
2::8100:2:30a:c392:fc5a
– Names
host
www.sc4.org
Packets and Protocols
Chapter 5
You can further narrow your search by
designating source or destination
addresses
– src host 192.168.1.1
– dst host 192.168.255.255
You can also use a shorthand notation to
check host addresses without using host:
– src 192.168.1.1
– dst 192.168.255.255
You can filter on an entire network as well
– src net 192.168.100.0/24
Packets and Protocols
Chapter 5
Filtering
on hardware addresses
– ether host ff:ff:ff:ff:ff:ff
– ether src host 00:f9:06:aa:01:03
– ether src 00:f9:06:aa:01:03
Packets and Protocols
Chapter 5
Filtering
on ports
– port 80
– tcp port 80
– tcp port http
– udp dst port 53
– udp src port 53
Packets and Protocols
Chapter 5
Logical
operators
– not is equivalent to !
– and is equivalent to &&
– or is equivalent to ||
Similar
to C++ commands
– Wireshark is written in C
Packets and Protocols
Chapter 5
Logical
operators in action
– not port 53
– host www.sc4.edu and port telnet
– port telnet or port ssh
– host www.sc4.edu and ( port telnet or
port ssh )
Packets and Protocols
Chapter 5
NOTE: The logical operators and and or have the
same precedence, which means that they are
analyzed in the order in which they are listed in
the capture filter.
– If parentheses are not used, the capture filter will test
for Telnet packets to or from the host www.sc4.edu, or
SSH packets to and from any IP address:
host www.sc4.edu and port telnet or port ssh
Packets and Protocols
Chapter 5
Protocols supported by capture filters
aarp AppleTalk Address Resolution Protocol
isis (or is-is) Intermediate System-to-Intermediate
System
ah Authentication Header
iso International Organization for Standardization
arp Address Resolution Protocol
lat Local Area Transport
atalk AppleTalk
mopdl Maintenance Operation Protocol
clnp Connectionless Network Protocol
moprc Maintenance Operation Protocol
decnet Digital Equipment Corporation Network protocol
suite
netbeui NetBIOS Extended User Interface
esis (or es-is) End System-to-Intermediate System
pim Protocol Independent Multicast
esp Encapsulating Security Payload
rarp Reverse Address Resolution Protocol
icmp Internet Control Message Protocol
sca Systems Communication Architecture
icmp6 Internet Control Message Protocol, for IPv6
sctp Stream Control Transmission Protocol
igmp Internet Group Management Protocol
stp Spanning Tree Protocol
igrp Interior Gateway Routing Protocol
tcp Transmission Control Protocol
ip Internet Protocol
udp User Datagram Protocol
ip6 Internet Protocol version 6
vrrp Virtual Router Redundancy Protocol
ipx Internetwork Packet Exchange
Packets and Protocols
Chapter 5
You can even limit the capture to individual bytes
within a packet
For example, to capture source port info only, use
the offset tcp[0:15]
Packets and Protocols
Chapter 5
Numeric
operators add even more
flexibility to your capture capabilities
Packets and Protocols
Chapter 5
Example:
– ICMP has several packet types
Echo
request
Echo reply
Unreachable, etc…
– How can you sort based on the offset
(location in the packet) to filter out one
or the other packet type?
Packets and Protocols
Chapter 5
icmp[0] == 8
or
icmp[0] == 0
Or you can use ICMP type names rather than ICMP type
numbers
icmp[icmptype] == icmp-echo
or
icmp[icmptype] == icmp-echoreply
Packets and Protocols
Chapter 5
So you have
choices; you can
use either the
names or numbers
of protocol types
Packets and Protocols
Chapter 5
You
can filter on packet size as well
– len < 100
– len > 1500
Packets and Protocols
Chapter 5
Capture
filter examples
• All HTTP Packets - tcp port 80
• Non-HTTP Packets - not tcp port 80, !tcp port 80, tcp port not 80, or tcp
port !80
• HTTP Browsing to www.wireshark.org - tcp port 80 and dst
www.wireshark.org
• HTTP Browsing to Hosts Other Than www.wireshark.org - tcp port
80 and not dst www.wireshark.org
• IPX Packets - ipx
• IPX Packets Destined for IPX Network 00:01:F0:EE - Not possible,
because you cannot retrieve bytes using the ipx keyword
• TCP Packets - tcp or ip proto 5
• TCP SYN Packets - tcp[tcpflag] & tcp-syn == tcp-syn
• IP Packets with Total Length > 255 - ip[2:2] > 0xff
• IP or IPX Packets - ip or ipx
Packets and Protocols
Chapter 5
Capturing
from the command line
with Tshark
– TShark accepts capture filters on the
command-line with the -f option, as
shown in this example.
Packets and Protocols
Chapter 5
Capture
options
dialogue
box – a bit
easier to
use than
command
prompt
filters
Packets and Protocols
Chapter 5
For almost every
item you see in the
protocol tree in the
middle pane of
Wireshark’s
GUI,Wireshark has
a field name that
you can use in a
display filter.
Packets and Protocols
Chapter 5
Packets and Protocols
Chapter 5
For
example, to find .doc at the end
of a string, use $:\.doc$
Packets and Protocols
Chapter 5
Other byte sequenced search examples:
– eth.src == 00:09:f6:01:cc:b3
Source
of a specific MAC address
Source
is a PC called picard
– eth.src == picard
– frame contains POST
Frame
contains the word POST
Partial
MAC address
– frame contains 50:4f:53:54
– http contains GET
HTTP
GET frames
– frame contains 01:00:0c
Searches
by OID
Packets and Protocols
Chapter 5
Other
packets info to filter on
– Time
frame.time
> "Jan 5, 2006 09:13:55"
– Misc
http contains "HTTP/1.0"
Packets and Protocols
Chapter 5
IMPORTANT
– Syntax is important
http
contains Keep-Alive: 300
and
http
contains “Keep-Alive: 300”
Will both appear to work but they do not
display the same info. Be sure to watch
your counters at the bottom of the
capture display.
Packets and Protocols
Chapter 5
You
can share filters with other users
Look for a “cfilters” and “dfilters” files
Packets and Protocols
Chapter 5
Multiple
occurrences of fields
– This can happen in tunneled or
encapsulated packets so be aware of
where the data is located in each
packet!
Packets and Protocols
Chapter 5
Generic
versions of SRC and DST
Packets and Protocols
Chapter 5
Other
uses for display filters
Colorize your captures!