Wireshark: Difference between revisions
(Created page with "== Display Filters == ;References * [https://wiki.wireshark.org/DisplayFilters DisplayFilters] ;Examples Show only SMTP (port 25) and ICMP traffic: tcp.port eq 25 or icm...") |
|||
Line 6: | Line 6: | ||
Show only SMTP (port 25) and ICMP traffic: |
Show only SMTP (port 25) and ICMP traffic: |
||
tcp.port eq 25 or icmp |
tcp.port eq 25 or icmp |
||
Show only traffic to and from a given server at addr 10.43.54.65: |
|||
ip.addr == 10.43.54.65 |
|||
Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet: |
Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet: |
Latest revision as of 07:59, 2 July 2015
Display Filters
- References
- Examples
Show only SMTP (port 25) and ICMP traffic:
tcp.port eq 25 or icmp
Show only traffic to and from a given server at addr 10.43.54.65:
ip.addr == 10.43.54.65
Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
TCP buffer full -- Source is instructing Destination to stop sending data
tcp.window_size == 0 && tcp.flags.reset != 1
Filter on Windows -- Filter out noise, while watching Windows Client - DC exchanges
smb || nbns || dcerpc || nbss || dns
Sasser worm: --What sasser really did--
ls_ads.opnum==0x09
Match packets containing the (arbitrary) 3-byte sequence 0x81, 0x60, 0x03 at the beginning of the UDP payload, skipping the 8-byte UDP header. Note that the values for the byte sequence implicitly are in hexadecimal only. (Useful for matching homegrown packet protocols.)
udp[8:3]==81:60:03
The "slice" feature is also useful to filter on the vendor identifier part (OUI) of the MAC address, see the Ethernet page for details. Thus you may restrict the display to only packets from a specific device manufacturer. E.g. for DELL machines only:
eth.addr[0:3]==00:06:5B
It is also possible to search for characters appearing anywhere in a field or protocol by using the matches operator.
Match packets that contains the 3-byte sequence 0x81, 0x60, 0x03 anywhere in the UDP header or payload:
udp contains 81:60:03
Match packets where SIP To-header contains the string "a1762" anywhere in the header:
sip.To contains "a1762"
The matches operator makes it possible to search for text in string fields and byte sequences using a regular expression, using Perl regular expression syntax. Note: Wireshark needs to be built with libpcre in order to be able to use the matches operator.
Match HTTP requests where the last characters in the uri are the characters "gl=se":
http.request.uri matches "gl=se$"
Note: The $ character is a PCRE punctuation character that matches the end of a string, in this case the end of http.request.uri field.
Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip
- Gotchas
Expression | Equivalent to |
---|---|
|
|
|
Probably not correct. |
|
|