Network analysis Using Wireshark 4: Capture Filters

Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 1
Network analysis Using Wireshark
Lesson 4:
Capture Filters

• By the end of this lesson, the participant will be able to:
▫ Understand basic capture filters
▫ Perform basic capture filtering
Lesson Objectives

yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to:

Capture filters syntax and
Tcpdump
Compound capture filters
Offset filters
The cfilters file
Chapter Content
“Tell me and I forget. Teach me and I
remember. Involve me and I learn.”
Benjamin Franklin

• Used to define which packets are going to be captured (be
careful!!!)
What are Capture Filters
• Wireshark uses the libpcap filter language for capture filters
• Manual and documentation: http://www.tcpdump.org/

• Filter examples
▫ ether host 00:08:15:00:08:15
▫ host 192.168.0.1
▫ tcp port http
Capture Filters - How to Configure
Capture
options
Capture filter
definition
Interfaces
list

Add/Delete Capture Filters

Capture on Interfaces
You can configure different capture filters on different
interfaces:

• A capture filter comes in the format:
▫ [not] primitive [and|or [not] primitive ...]
• A primitive is simply one of the following:
▫ [src|dst] host <host>
▫ ether [src|dst] host <ehost>
▫ gateway host <host>
▫ [src|dst] net <net> [{mask <mask>}|{len <len>}]
▫ [tcp|udp] [src|dst] port <port>
▫ less|greater <length>
▫ ip|ether proto <protocol>
▫ ether|ip broadcast|multicast
▫ <expr> relop <expr>
Capture Filter Structure

Basic Filters - Host Filters
Capture all packets where
host is the destination
dst host <host >
Capture all packets where
host is the source
src host <host>
host is either the ip address
or host name
host <host>
DescriptionSyntax
dst host 10.10.10.10
src host 10.10.10.10
host 10.10.10.10
Example

Basic Filters - Port Filters
Capture all packets where port is
the destination port
dst port <port >
the source
src port <port>
either the source or destination
port <port>
DescriptionSyntax
dst port 80
src port 80
Port 80
Example

Basic Filters - Network Filters
Capture all packets where net is
the destination
dst net <net >
Capture all packets where net is
the source
src net <net>
Capture all packets to/from netnet <net>
DescriptionSyntax
dst Net
192.168.1.0/24
src Net
192.168.1.0/24
Net
192.168.1.0/24
Example

Example #1:
Capture only Traffic to www.eknower.com

Examples #2:
Capture only HTTP Traffic (port 80 and 443)

Examples #3:
Capture only DNS Traffic

• Wlan – for wireless LAN capture
• Vlan – for vlan tagging capture
• Mpls – for the capture of mpls packets
• Vci/vpi for packet capture in ATM networks
And many other protocols in the present to the far past …
Some Other Supported Protocols

Tcpdump
Offset filters
The cfilters file
Chapter Content
“The true sign of intelligence is not
knowledge but imagination.”
Albert Einstein

A capture filter takes the form of a series of primitive expressions
connected by conjunctions (and/or) and optionally preceded by not:
Structured Filters
[not] primitive [and|or] [not] primitive ...
Examples:
A capture filter for telnet that captures traffic to and from a particular host
tcp port 23 and host 10.0.0.5
Capturing all telnet traffic not from 10.0.0.5
tcp port 23 and not src host 10.0.0.5

• Capture non-HTTP and non-SMTP traffic on IP address 192.168.1.33
(both are equivalent):
▫ host 192.168.1.133 and not (port 80 or port 25)
▫ host 192.168.1.133 and not port 80 and not port 25
• Capture DNS traffic from servers dns237.bezeqint.com and google-
public-dns-a.google.com:
▫ port 53 and (host dns237.bezeqint.net or google-public-dns-
a.google.com)
• Capture except all ARP and DNS traffic:
▫ port not 53 and not arp
Example #4, 5, 6:

• Capture only Ethernet type EAPOL:
▫ ether proto 0x888e
• Capture only IP traffic
▫ ip
• Capture only unicast traffic
▫ not broadcast and not multicast
Examples #7,8,9:

Tcpdump
Offset filters
The cfilters file
Chapter Content
“Life is like riding a bicycle. To keep your
balance, you must keep moving.”
Albert Einstein

• protocol [Offset in bytes from the start of the
header:Number of bytes to check]
• protocol can be: ether, arp, ipv4, icmpv4, ipv6, icmpv6,
udp and tcp
Byte Offset Notation
Examples:
ip[8:1]
Go to byte 8 of the ip header
and check one byte (TTL field)
tcp[0:2]
Go to the start of the tcp
header and check 2 bytes
(source port)
Ethernet
IP
TCP

• In this case, expression is TRUE if the relation holds
▫ expr relop expr
• relop is one of >, <, >=, <=, =, !=
• expr is an arithmetic expression composed of:
▫ Integer constants (expressed in standard C syntax)
▫ The normal binary operators [+, -, *, /, %, &, |, ^, <<, >>]
▫ Length operator, and
▫ Special packet data accessors.
Offset Expressions: expr relop expr

• ip[8] = 1
▫ The 9th Byte (TTL) equals 1
Example #1:
Single Byte Filters
V
E
R
I
H
L
Total
Length
Packet
ID
F
L
Frag.
Offse
t
T
T
L
P
ro
to
Heade
rCS
Source IP
Address
Destination IP
Address
Data
1 Byte
8 Bytes
1 Byte
ip[8] = 1  TTL value equal 1
9 Bytes
1 Bytes
ip[9] = 6
The 9th Byte (Proto) equals 6
ip[9] = 6  Protocol value equal 6 (TCP)

• ip[2:2] = > 100
▫ IP packet length greater than 100
bytes
Example #2:
Multiple/Fractional Bytes Filters
V
E
R
I
H
L
Total
Length
Packet
ID
F
L
Frag.
Offse
t
T
T
L
P
ro
to
Heade
rCS
Source IP
Address
Destination IP
Address
Data
1 Byte
2 Bytes
2 Bytes
ip[2:2] > 100  IP packet length greater that 100 bytes
What is the problem with
this filter? Hint: it’s a
capture problem, not a real
one…

• Example #1: ether[12:2] & 0xffff = 0x0800 means that:
▫ Go 12 bytes forward in the Ethernet header, and check two bytes.
▫ This is the 13th and 14th bytes of the header which are the EtherType, for IP it equals
0x0800
▫ The result is that it brings up all IP packets
Example #3:
Preamble
S
O
F
Protoc
ol
Type
Source MAC
Address
Destination MAC
Address
Data
1 Byte
2 BytesPreamble and SOF:
Not presented in Wireshark
Ether[12:2] & 0xffff = 0x0800 
All Ethernet frames that carries IP packets

• Example #1: (ether[12] & 0xff = 8) means that:
▫ Go 12 bytes forward in the Ethernet header, and check one byte.
▫ This is the 13th byte of the header which is Ether Type, for IP it equals 0x0800 and
for ARP it equals 0x0806
▫ The result is that it brings us IP and ARP packets
Example #4:
Preamble
S
O
F
Protoc
ol
Type
Source MAC
Address
Destination MAC
Address
Data
1 Byte
2 BytesPreamble and SOF:
Not presented in Wireshark
Ether[12:2] & 0xffff = 0x0800 
All Ethernet frames that carries IP packets

Example #5:
TCP flags filtering
Sourc
e Port
H
L
F
l
g.
Wind
ow
Size
Data
1 Byte
13Bytes
1Byte
Dest.
Port
Sequence
Number
Acknowledge
Number
Chec
ksum
Urge
nt
Point
er
Opts.R
FinSynRstPshAck
Ur
g
Ec
n
Cw
r
12
8
1248163264
Flag
Binary value
128 1248163264 tcp[13] & 0xff = 0
128 1248163264 tcp[13] & 0xff = 1
128 1248163264 tcp[13] & 0xff = 17
128 1248163264 tcp[13] & 0xff = 18
128 1248163264 tcp[13] & 0xff = 4
128 1248163264 tcp[13] & 0xff = 20
Filter examples:

Tcpdump
Offset filters
The cfilters file
Chapter Content
“Try not to become a man of success, but
rather try to become a man of value.”
Albert Einstein

The capture filters are stored in a file named cfilters
under the Wireshark directory.
The cfilters FIle

• In this lesson we talked about:
▫ Simple capture filters
▫ Conditional filters and
▫ Offset filters
Summary
Thanks for your time
Yoram Orzach
yoram@ndi-com.com

yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to:

Network analysis Using Wireshark 4: Capture Filters

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Network analysis Using Wireshark 4: Capture Filters

Similar to Network analysis Using Wireshark 4: Capture Filters (20)

More from Yoram Orzach

More from Yoram Orzach (8)

Recently uploaded

Recently uploaded (20)

Network analysis Using Wireshark 4: Capture Filters