-
Notifications
You must be signed in to change notification settings - Fork 0
3.2 Wireshark Display Filter Syntax
3.2.1 Introduction
3.2.2 Understanding Display Filters
3.2.3 Filter Expression Syntax
- 3.2.3.1 Basic Structure
- 3.2.3.2 Fields and Values
- 3.2.3.3 Operators
- 3.2.3.3.1 Comparison Operators
- 3.2.3.3.2 Logical Operators
- 3.2.3.3.3 String Operators
- 3.2.3.4 Parentheses and Precedence 3.2.4 Common Filter Expressions
- 3.2.4.1 Filtering by Protocol
- 3.2.4.2 Filtering by IP Address
- 3.2.4.3 Filtering by Port Number
- 3.2.4.4 Filtering by MAC Address
- 3.2.4.5 Filtering by HTTP Methods 3.2.5 Advanced Filter Expressions
- 3.2.5.1 Combining Multiple Conditions
- 3.2.5.2 Using Wildcards and Regular Expressions
- 3.2.5.3 Negation and Exclusions
- 3.2.5.4 Time-Based Filters 3.2.6 Examples of Complex Expressions
- 3.2.6.1 Filtering Specific Traffic Patterns
- 3.2.6.2 Isolating Malicious Activity
- 3.2.6.3 Monitoring Specific Applications 3.2.7 Best Practices for Writing Filters 3.2.8 Common Mistakes and How to Avoid Them 3.2.9 Additional Resources
Wireshark is a powerful network protocol analyzer that allows users to capture and interactively browse the traffic running on a computer network. One of its most potent features is the ability to apply display filters, which enable users to focus on specific packets of interest by specifying detailed criteria. This guide delves into the syntax of Wireshark display filters, providing comprehensive explanations and numerous examples to help you master filter creation for effective network analysis.
Display filters in Wireshark allow users to refine the view of captured network traffic by specifying conditions that packets must meet to be displayed. Unlike capture filters, which determine which packets are captured and saved, display filters operate on already captured data, offering a flexible way to analyze specific aspects of the traffic without the need to recapture data.
Key differences:
- Capture Filters: Limited in functionality, set before capturing data, and use the pcap filter syntax.
- Display Filters: More expressive and powerful, applied after capturing data, and use Wireshark's own filter syntax.
Understanding the syntax is crucial for creating effective display filters. This section breaks down the components and rules that govern filter expressions in Wireshark.
A display filter expression typically consists of fields, operators, and values. The general syntax is:
field operator value
Example:
ip.src == 192.168.1.1
This expression filters packets where the source IP address is 192.168.1.1.
Fields represent specific attributes of network packets, such as IP addresses, ports, protocols, etc. Each field has an associated type (e.g., string, integer).
Values are the criteria against which fields are evaluated. Values must match the field type:
-
Numeric fields: Use numbers (e.g.,
80,443). - String fields: Use quoted strings for exact matches or unquoted for certain operators.
Examples:
tcp.port == 80
http.request.method == "GET"
Operators define the relationship between fields and values. Wireshark supports several types of operators: comparison, logical, and string-specific.
Used to compare field values numerically or lexically.
-
==: Equal to -
!=: Not equal to -
>: Greater than -
<: Less than -
>=: Greater than or equal to -
<=: Less than or equal to
Examples:
frame.len > 1000
ip.ttl <= 64
tcp.flags.syn == 1
Used to combine multiple filter expressions.
-
and: Logical AND -
or: Logical OR -
not: Logical NOT
Examples:
ip.src == 192.168.1.1 and tcp.port == 443
http.request.method == "POST" or http.request.method == "PUT"
not arp
Used for string matching within fields.
-
contains: Field contains the specified substring -
matches: Field matches the specified regular expression -
startswith: Field starts with the specified substring -
endswith: Field ends with the specified substring
Examples:
http.host contains "example.com"
frame.protocols matches "^TCP.*"
dns.qry.name startswith "www"
Parentheses () are used to group expressions and control the order of evaluation, especially when combining multiple logical operators.
Example:
(ip.src == 192.168.1.1 and tcp.port == 443) or (ip.dst == 10.0.0.1 and udp.port == 53)
In this example, the parentheses ensure that each set of conditions is evaluated together before applying the or operator.
This section provides examples of commonly used filter expressions, categorized by their application.
Filter packets based on specific protocols.
Examples:
http
tcp
udp
icmp
dns
Combined with operators:
tcp and not http
Include or exclude packets based on source or destination IP addresses.
Examples:
ip.src == 192.168.1.100
ip.dst == 10.0.0.5
ip.addr == 172.16.0.1
Range Example:
ip.addr >= 192.168.1.1 and ip.addr <= 192.168.1.255
Filter traffic on specific source or destination ports.
Examples:
tcp.port == 80
udp.port == 53
tcp.srcport == 443
tcp.dstport == 22
Multiple Ports:
tcp.port == 80 or tcp.port == 443
Use MAC addresses to filter packets from or to specific hardware addresses.
Examples:
eth.src == aa:bb:cc:dd:ee:ff
eth.dst == 11:22:33:44:55:66
eth.addr == aa:bb:cc:dd:ee:ff
Filter HTTP requests based on the method used (e.g., GET, POST).
Examples:
http.request.method == "GET"
http.request.method == "POST"
http.request.method == "DELETE"
Multiple Methods:
http.request.method == "GET" or http.request.method == "POST"
For more complex analysis, advanced filter expressions allow combining multiple criteria, using pattern matching, and more.
Use logical operators to combine multiple filter conditions for more granular filtering.
Examples:
ip.src == 192.168.1.1 and tcp.port == 443
(ip.src == 192.168.1.1 or ip.dst == 192.168.1.1) and udp.port == 53
Pattern matching can be achieved using operators like matches with regular expressions.
Examples:
http.user_agent matches "Mozilla.*"
dns.qry.name matches "^www\..*\.com$"
Wildcard-like Matching: While Wireshark doesn't support traditional wildcards, regular expressions can achieve similar results.
frame.protocols contains "TCP"
Exclude certain packets using the not operator.
Examples:
not arp
not ip.src == 10.0.0.1
tcp.port != 80
Filter packets based on time-related criteria. Note that time-based filtering often requires the use of relative fields or frame numbers.
Examples:
frame.time >= "2024-04-27 10:00:00" and frame.time <= "2024-04-27 12:00:00"
frame.number >= 1000 and frame.number <= 2000
Demonstrating the power of display filters through complex, real-world scenarios.
Identify packets that match a particular traffic flow or pattern.
Example:
ip.src == 192.168.1.100 and tcp.dstport == 443 and tcp.flags.syn == 1 and tcp.flags.ack == 0
This filter captures initial SYN packets from a specific source IP attempting to establish a TCP connection on port 443.
Filter packets that might indicate suspicious or malicious behavior.
Examples:
tcp.flags.syn == 1 and tcp.flags.ack == 1 and tcp.window_size == 0
Potentially indicative of a SYN/ACK scan.
http.request.uri contains "/admin" and http.request.method == "POST"
Possible brute-force login attempts.
Focus on traffic generated by particular applications or services.
Examples:
dns.qry.name contains "spotify.com"
ssl.handshake.extensions_server_name == "mail.google.com"
Creating effective filters requires adherence to certain best practices to ensure accuracy and performance.
-
Be Specific: The more precise your filter, the fewer irrelevant packets it will include.
ip.src == 192.168.1.100 and tcp.port == 22 -
Use Parentheses: When combining multiple conditions, use parentheses to clarify the logic and ensure correct precedence.
(ip.src == 192.168.1.100 or ip.dst == 192.168.1.100) and tcp.port == 80 -
Leverage Logical Operators: Combine
and,or, andnotto build complex filters without redundancy.tcp.port == 80 or tcp.port == 443 -
Minimize Regular Expressions: While powerful, regex filters can be resource-intensive. Use them only when necessary.
http.user_agent matches ".*Chrome.*" -
Test Filters Incrementally: Build and test your filter step-by-step to ensure each part works as expected.
-
Document Filters: Keep notes or comments on complex filters for future reference and collaboration.
Avoiding common pitfalls ensures that your filters work correctly and efficiently.
-
Incorrect Field Names: Using wrong or misspelled field names will result in errors.
// Incorrect ip.sorc == 192.168.1.1 // Correct ip.src == 192.168.1.1 -
Mismatched Value Types: Ensure that the value type matches the field type.
// Incorrect (string vs. integer) tcp.port == "80" // Correct tcp.port == 80 -
Operator Misuse: Using the wrong operator for the intended comparison.
// Incorrect ip.addr = 192.168.1.1 // Correct ip.addr == 192.168.1.1 -
Overusing
orWithout Grouping: Leading to unintended logic.// Incorrect ip.src == 192.168.1.1 or ip.dst == 192.168.1.1 and tcp.port == 80 // Correct (ip.src == 192.168.1.1 or ip.dst == 192.168.1.1) and tcp.port == 80 -
Neglecting Case Sensitivity: Some fields are case-sensitive, especially string comparisons.
// Case-sensitive filter for HTTP method http.request.method == "get" // May not match "GET" // Correct http.request.method == "GET"
For further reading and deeper understanding, consider the following resources:
- Wireshark Official Display Filter Reference
- Wireshark User's Guide
- Wireshark Display Filter Syntax
- Regular Expressions Tutorial
- Wireshark Q&A
- Wireshark Wiki
Mastering Wireshark display filter syntax empowers you to efficiently analyze network traffic by isolating relevant packets. By understanding the structure, operators, and best practices outlined in this guide, you can create precise and powerful filters tailored to your specific network analysis needs. Whether you're troubleshooting network issues, monitoring application performance, or investigating security incidents, adept use of display filters is an invaluable skill in your networking toolkit.