Mobile Malware threats and
detection mechanism
Rakib Amin
Mehedee Zaman
Tazrian Siddiqui
Supervisor
Dr. M Shohrab Hossain
Presentation on
Wireshark’s Display Filter :
How do we use it?
Rakib Amin
md.rakib.amin@gmail.com
// Special Note
This is an implementation based tutorial on
Display Filters only (You should be familiar with
Wireshark al...
Module 1
Understanding
Captures
Screenshot of a .pcap file inside
Wireshark showing a capture
All packets following http
protocol are listed for “http”
background becomes red
when a non-existent filter string
is entered
Module 2.1
Creating Filter strings for
Display Filters
Display filters let you compare the fields within a protocol
against a specific value, compare fields against fields, and
...
All packets with frame length
equal to 100
All packets with http “GET”
request
Logical expressions:
Tests can be combined using logical expressions. These too are
expressible in C-like syntax or with E...
All packets with TCP Port No 80
and from 50.16.247.204
/* Complete reference
for creating filter strings */
In the Menu bar
Help -> ManualPages -> Wireshark Filter
or,
https://w...
Module 2.2
Creating a new Display Filter
inside Wireshark
In the menu bar:
Analyze -> Display Filters...
New button <*> type in Filter
name and string (using syntax
from previous slides), hit Enter.
In the Filter bar -> Expression…
Check for expressions.
Select a field-relation-value, hit
OK.
The filter is in the Filter window
as a filter string.
Module 3
Advanced
Display Filters
Just select a packet, Right Click
And you can use that value as a
filter (ip.src==10.128.223.139)
Other options provide AN...
Conversation Filter takes the
selected addresses and filter out
only their conversation packets.
Bonus
Advanced Conversation
Another interesting thing you
can do is right-click a packet
and select Follow TCP Stream.
You’ll see the full conversation
between the client and the
server and in the capture
window only those packets.
TCP Conversation:
It is useful when we are looking for passwords in a Telnet stream, or
are trying to make sense of a dat...
Bonus
Add as a Column
Select a parameter from a
packet description, Right Click,
Apply as column to take it as a
column in the packet list.
Bonus
I/O and Flow Graphs
Menu bar:
Statistics -> I/O Graph
Statistics -> Flow Graph…
Filter: A<->B or A<->C
A/B/C ip addresses
// Summary
We discussed –
 Understanding Captures
 Creating Filter strings for Display Filters
 Creating a new Display ...
// Reference
I am indebted to –
 CBT Nuggets Wireshark with Keith Barker
 http://wiki.wireshark.org
 How-to-geeks commu...
Frequently Used Display Filters:
Filter Strings Description
ip.src==8.8.8.8 Look for specific source through IP
http or tc...
Frequently Used Display Filters:
Filter Strings Description
arp.dst.hw_mac ARP Target MAC Address
udp.length == 37 Check U...
Thank you.
Upcoming SlideShare
Loading in …5
×

Mobile Malware threats and detection mechanism

352 views

Published on

  • Be the first to comment

Mobile Malware threats and detection mechanism

  1. 1. Mobile Malware threats and detection mechanism Rakib Amin Mehedee Zaman Tazrian Siddiqui Supervisor Dr. M Shohrab Hossain
  2. 2. Presentation on Wireshark’s Display Filter : How do we use it? Rakib Amin md.rakib.amin@gmail.com
  3. 3. // Special Note This is an implementation based tutorial on Display Filters only (You should be familiar with Wireshark already). Most slides will be containing screenshots. For documentation, visit http://wiki.wireshark.org
  4. 4. Module 1 Understanding Captures
  5. 5. Screenshot of a .pcap file inside Wireshark showing a capture
  6. 6. All packets following http protocol are listed for “http”
  7. 7. background becomes red when a non-existent filter string is entered
  8. 8. Module 2.1 Creating Filter strings for Display Filters
  9. 9. Display filters let you compare the fields within a protocol against a specific value, compare fields against fields, and check the existence of specified fields or protocols. Comparison operators: Fields can also be compared against values. The comparison operators can be expressed either through English-like abbreviations or through C-like symbols. Equal Not Equal Greater than Less than Greater than or Equal to Less than or Equal to
  10. 10. All packets with frame length equal to 100
  11. 11. All packets with http “GET” request
  12. 12. Logical expressions: Tests can be combined using logical expressions. These too are expressible in C-like syntax or with English-like abbreviations: Logical AND Logical OR Logical NOT Example : tcp.port == 80 and ip.src == 192.168.2.1
  13. 13. All packets with TCP Port No 80 and from 50.16.247.204
  14. 14. /* Complete reference for creating filter strings */ In the Menu bar Help -> ManualPages -> Wireshark Filter or, https://www.wireshark.org/docs/dfref/ A list of Frequently Used Display Filter Strings is given in the FUDF slide
  15. 15. Module 2.2 Creating a new Display Filter inside Wireshark
  16. 16. In the menu bar: Analyze -> Display Filters...
  17. 17. New button <*> type in Filter name and string (using syntax from previous slides), hit Enter.
  18. 18. In the Filter bar -> Expression… Check for expressions.
  19. 19. Select a field-relation-value, hit OK.
  20. 20. The filter is in the Filter window as a filter string.
  21. 21. Module 3 Advanced Display Filters
  22. 22. Just select a packet, Right Click And you can use that value as a filter (ip.src==10.128.223.139) Other options provide ANDing, ORing, ANDNOTing etc. with existing filter strings.
  23. 23. Conversation Filter takes the selected addresses and filter out only their conversation packets.
  24. 24. Bonus Advanced Conversation
  25. 25. Another interesting thing you can do is right-click a packet and select Follow TCP Stream.
  26. 26. You’ll see the full conversation between the client and the server and in the capture window only those packets.
  27. 27. TCP Conversation: It is useful when we are looking for passwords in a Telnet stream, or are trying to make sense of a data stream. Wireshark will set an appropriate display filter and pop up a dialog box with all the data from the TCP stream laid out in order. The stream content is displayed in the same sequence as it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue.
  28. 28. Bonus Add as a Column
  29. 29. Select a parameter from a packet description, Right Click, Apply as column to take it as a column in the packet list.
  30. 30. Bonus I/O and Flow Graphs
  31. 31. Menu bar: Statistics -> I/O Graph
  32. 32. Statistics -> Flow Graph… Filter: A<->B or A<->C A/B/C ip addresses
  33. 33. // Summary We discussed –  Understanding Captures  Creating Filter strings for Display Filters  Creating a new Display Filter inside Wireshark  Advanced Display Filters
  34. 34. // Reference I am indebted to –  CBT Nuggets Wireshark with Keith Barker  http://wiki.wireshark.org  How-to-geeks community.
  35. 35. Frequently Used Display Filters: Filter Strings Description ip.src==8.8.8.8 Look for specific source through IP http or tcp Only HTTP/TCP packets tcp.port==80 Look for packets through port 80 http.request.method == “GET” Only GET request packets http.response.phrase contains “contacts” Packets containing word “contacts” ip.opt.ohc < 10 Outbound hopcounts < 10 bgp.nexthop ==8.8.8.8 Border Gateway Protocol Next Hop search ftp.active.port Only active FTP Client PORT wlan.addr == 8.8.8.8 Checks Hardware Address (IEEE 802.11) dns.resp.type DNS Response Type udp.destport UDP Destination PORT tcp.stream All conversations
  36. 36. Frequently Used Display Filters: Filter Strings Description arp.dst.hw_mac ARP Target MAC Address udp.length == 37 Check UDP packet Length frame.time == "Aug 17, 2014 00:56:14.935620000" Check Frame Arrival Time dns.flags == 0x8180 DNS Flag Check (Std. Query Response) dns.resp.addr == 54.241.179.41 DNS Response Address ip.proto == 17/”udp” UDP/TCP protocol check (17=UDP) icmp.type == 3 Internet Control Message Protocol type (3 = dst. unreachable ) ssl.handshake.type == 1 Secure Socket Layer Handshake type (1 = Client Hello, 11 )
  37. 37. Thank you.

×