Wireshark Filters



Wireshark is a freeware sniffer that can capture packets from a wired or wireless LAN connection. It is a very powerful tool which can provide network and upper layer protocol data captured on a network. Like a lot of other network programs, Wireshark uses the pcap network library to capture packets.
Wireshark was called Ethereal until 2006 when the main developer decided to change its name because of copyright reasons with the Ethereal name, which was registered by the company he decided to leave in 2006.
In Exercise 1 you installed and began capturing packets using Wireshark. To narrow down the amount of information gathered by Wireshark, you can use filters. These filters limit the amount of information captured or displayed.
Here are some examples of Wireshark filters:
  • ip.dst eq www.eccouncil.org This sets the filter to capture only packets destined for the web server www.eccouncil.org.
  • ip.src == 192.168.1.1 This sets the filter to capture only packets coming from the host 192.168.1.1.
  • eth.dst eq ff:ff:ff:ff:ff:ff This sets the filter to capture only Layer 2 broadcast packets.
  • host 172.18.5.4 This sets the filter to capture only traffic to or from IP address 172.18.5.4.
  • net 192.168.0.0/24 This sets the filter to capture traffic to or from a range of IP addresses.
  • port 80 This sets the filter to capture traffic to destination port 80 (HTTP).
  • port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 This sets the filter to capture HTTP GET requests. The filter looks for the bytes "G", "E", "T", and " " (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length.
Exercise 1 shows you how to write filters in Wireshark.
Exercise 1: Create a Wireshark filter to capture only traffic to or from an IP address

  1. Open Wireshark.

  2. Click the active Network Interface to capture traffic.
  3. Click Capture, then select filters.

  4. Click the new button to create a new filter.
  5. Name the new filter in the filter name field.
  6. Type host IPaddress in the filter string field.
  7. Click OK.
  8. Select the capture menu and click start to begin the capture.
Repeat the above steps to create filters using the following strings:
  • net 192.168.0.0/24 To capture traffic to or from a range of IP addresses.
  • src net 192.168.0.0/24 To capture traffic from a range of IP addresses.
  • dst net 192.168.0.0/24 To capture traffic to a range of IP addresses.
  • port 53 To capture only DNS (port 53) traffic.
  • host www.example.com and not (port 80 or port 25) To capture non-HTTP and non-SMTP traffic on your server.
  • port not 53 and not arp To capture all except ARP and DNS traffic.
  • tcp portrange 1501-1549 To capture traffic within a range of ports.
  • not broadcast and not multicast Capture only unicast traffic. Useful to get rid of noise on the network if you only want to see traffic to and from your machine.
Practice writing filters in Wireshark that capture only one type of protocol traffic or traffic from a specific source IP or MAC address. Use your PC's IP or MAC address to test that the filter is working.
It's important to understand how to create these filters before you attempt the CEH exam.

No comments:

Post a Comment

Popular Posts