Wireshark is a popular network analyzer tool that captures packet data. It uses pcap to capture packets and has an easy-to-use GUI. When capturing packets in Wireshark, you should close unnecessary applications and select the interface address. You can filter the capture by IP address or port number. After capturing, you can analyze streams in the conversations tab and follow streams to see content. Filters can then be applied to remove empty or single-flow packets. When filtering, you should ensure the starting IP is correct and remove unrelated advertisements and images while keeping the host count below 30.
1. Guidelines for Capturing &Filtering in the Wireshark
About Wireshark:
Wiresharkistheworld'smostpopularnetworkanalyzer.Thisverypowerfultoolprovides
networkand upperlayerprotocolsinformation'saboutdatacaptured ina network.
Likea lotofothernetworkprograms,Wiresharkusesthepcap networklibrarytocapture
packets.
The Wiresharkstrength comes from:
-itseasinesstoinstall.
-thesimplicityofGUIinterface.
-theveryhigh numberoffunctionalityavailable.
Capture In Wireshark:
1.Beforestarting capturemake surethatno otherprocessisrunning on themachine you are
going tocapture,todo thisopen taskmanagerand closealltheapplication running on the
machine apartfrom some mandatorysystem services.
3. 3.Uncheck thecapturepacketsinpromiscuousmode checkbox.
4.Then in'CaptureFilter'fieldgivetheIPaddressofthemachine and portsfrom which user
doesnotwantdatatobe captured.
InWiresharktocapturefrom particularportwe use portthatprotocolportnu mberorelseportwith
protocolname.
Ex :port137
4. 5.Clickstarttocaptureinthewireshark.
6.Now open theapplication forwhich thetraffichastobe captured and perform theactions.
7. Afterfinishing thecapturestop thecaptureand save thefilewith.pcap extension.
Filter Using Wireshark:
Beforewe startfiltering,firstwe need toanalyzethedatapresentinthecapture,forthisfollow the
below steps,
1.Open thefileinwireshark go tostatistics conversations herewe getboth tcpand udp→ → →
streams inwhich we can seethedatagotcaptured fortheactionswe have performed select→
stream and click'follow stream'toseethecontentpresentintheparticularstream now we have→
toanalyzeweatherthatdataisrelevanttothecaptured application.
6. 3.Go towiresharkfileseeinthefilterstab and clickapplytofiltertheemptypacketswhich were
selected before.
4. W hilesaving thefileselectsthedisplayoption and save.
5. tcp.port== 60302 DisplaypacketswithTCP sourceordestination port60302.
6. Clickon HTTP Linktoknow thesitewhich isconnected.
7. Steps to follow: W hilefiltering concentrateon thefollowing issues
1. Starting ip in the pcap (both original and filtered) should be the ip of the machine on
which we are capturing.
2. Number of hosts should be <=30.
3. Should not keep empty streams in filtered.
4. Should not keep single flow streams in filtered.
5. Flows should be <70.
6. Remove the advertisements and images which are not related to the action we have
performed.
7. And we have got 2 appliances to filter i.e 4k and 8k.
Other Methods used while filtering pcap
If user wants filter particular TCP streams, use below expression in 'Filter' field.
!(tcp.stream eq 0 || tcp.stream eq 2 || tcp.stream eq 11)
Here we are removing 1st
, 3rd
and 12th
TCP streams.
After filtering, while saving the pcap select the 'Displayed' option in packets range, it will
save
the filtered pcap.
If we want to keep particular stream then we will not use ! Operator.