This chapter provides the basics of Wireshark capture and display filters

1. NDI Communications - Engineering & Training
Network analysis Using Wireshark
Lesson 3 – Capture and Display Filters

2. Page 2
Lesson Objectives
By the end of this lesson, the participant will be able to:
Understand basic capture filters
Understand basic display filters
Perform basic packet filtering

3. Page 3
Chapter Content
Capture filters – basics and filter language
Display filters – basics and filter language
Case studies

4. Page 4
Capture Filters
Options:Capture
Filter options will be in the format:
[not] primitive [and|or [not] primitive ...]
Filter examples
ether host 00:08:15:00:08:15
host 192.168.0.1
tcp port http
tcp port 23 and src host 10.0.0.5
Double-Click

5. Page 5
Capture Filter Structure
A capture filter comes in the format:
[not] primitive [and|or [not] primitive ...]
A primitive is simply one of the following:
[src|dst] host <host>
ether [src|dst] host <ehost>
gateway host <host>
[src|dst] net <net> [{mask <mask>}|{len <len>}]
[tcp|udp] [src|dst] port <port>
less|greater <length>
ip|ether proto <protocol>
ether|ip broadcast|multicast
<expr> relop <expr>

6. Page 6
Basic Filters - Host Filters
Capture all packets where host is the
destination
dst host <host >
Capture all packets where host is the
source
src host <host>
host is either the ip address or host
name
host <host>
DescriptionSyntax
Examples:
Host 194.90.1.5; Host www.ynet.co.il; Src host 10.1.1.1;
Dst host 100.1.1.1

7. Page 7
Basic Filters - Port Filters
Capture all packets where port is
the destination port
dst port <port >
Capture all packets where port is
the source
src port <port>
Capture all packets where port is
either the source or destination
port <port>
DescriptionSyntax
Examples:
port 80; port 5060; Src port 139; Dst port http

8. Page 8
Basic Filters - Network Filters
Capture all packets where net is the
destination
dst net <net >
Capture all packets where net is the
source
src net <net>
Capture all packets to/from netnet <net>
DescriptionSyntax
Examples:
Net 192.168.2.0/24; src net 192.168.1.0/24; dst net 12.1.1.1

9. Page 9
Byte Offset Notation
proto [Offset in bytes from the start of the header:Number
of bytes to check]
Examples:
ip[8:1]
Go to byte 8 of the ip header and check one byte (TTL field)
tcp[0:2]
Go to the start of the tcp header and check 2 bytes (source port)
Capture filters examples:
http://wiki.wireshark.org/CaptureFilters

10. Page 10
Structured Filters
A capture filter takes the form of a series of primitive expressions
connected by conjunctions (and/or) and optionally preceded by not:
[not] primitive [and|or] [not] primitive ...
Examples:
A capture filter for telnet that captures traffic to and from a particular host
tcp port 23 and host 10.0.0.5
Capturing all telnet traffic not from 10.0.0.5
tcp port 23 and not src host 10.0.0.5

11. Page 11
Example #1– Capture traffic to
www.ynet.co.il
Capture filter definition:
Host www.ynet.co.il

12. Page 12
Examples #2
Capture only traffic to or from IP address 172.18.5.4:
host 172.18.5.4
Capture traffic to or from a range of IP addresses:
net 192.168.0.0/24 or
net 192.168.0.0 mask 255.255.255.0
Capture traffic from a range of IP addresses:
src net 192.168.0.0/24 or
src net 192.168.0.0 mask 255.255.255.0

13. Page 13
Examples #3
Capture traffic to a range of IP addresses:
dst net 192.168.0.0/24 or
dst net 192.168.0.0 mask 255.255.255.0
Capture only DNS (port 53) traffic:
port 53
Capture non-HTTP and non-SMTP traffic on your server (both
are equivalent):
host www.example.com and not (port 80 or port 25) host
www.example.com and not port 80 and not port 25

14. Page 14
Examples #4
Capture except all ARP and DNS traffic:
port not 53 and not arp
Capture traffic within a range of ports
(tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2]
< 1550) or, with newer versions of libpcap (0.9.1 and later:
tcp portrange 1501-1549
Capture only Ethernet type EAPOL:
ether proto 0x888e

15. Page 15
Examples #5
Capture only IP traffic - the shortest filter, but sometimes very
useful to get rid of lower layer protocols like ARP and STP:
ip
Capture only unicast traffic - useful to get rid of noise on the
network if you only want to see traffic to and from your machine,
not, for example, broadcast and multicast announcements:
not broadcast and not multicast

16. Page 16
Chapter Content
Capture filters – basics and filter language
Display filters – basics and filter language
Case studies

17. Page 17
Display Filters

18. Page 18
Another way to Use Display Filters
Right click
The field you
Wand to filter
Field name appears here
Choose Prepare
Ro Apply filter
And choose
condition

19. Page 19
Details
Display filters allow you to concentrate on the packets you are
interested in while hiding the currently uninteresting ones. They allow
you to select packets by:
Protocol
The presence of a field
The values of fields
A comparison between fields
…... and a lot more
When using a display filter, all packets remain in the capture file. The
display filter only changes the display of the capture file but not its
content!

20. Page 20
Filter Comparison Operators
Frame.len <= 0x20
Frame.len ge 0x100
Frame.len < 1518
Frame.len > 64
Ip.src != 10.1.1.5
Ip.src == 10.1.1.5
Example
Less then or equal to<=le
Greaten then or equal to>=ge
Less Than<lt
Greater than>gt
Not equal!=ne
Equal==eq
DescriptionC-LikeShortcut

21. Page 21
Display Filter Field Types
There are several types of filter fields:
Unsigned integer (8-bit, 16-bit, 24-bit, 32-bit)
Boolean
Ethernet address (6 bytes)
IPv4 address
IPv6 address

22. Page 22
Unsigned integer
You can express integers in decimal, octal, or hexadecimal. The
following display filters are equivalent:
Decimal:
ip.len le 1500
Octal:
ip.len le 02734
Hexadecimal:
ip.len le 0x5DC

23. Page 23
Boolean
A boolean field is present in the protocol decode only if its value
is true.
For example, tcp.flags.syn is present, and thus true, only if the SYN
flag is present in a TCP segment header.
Thus the filter expression tcp.flags.syn will select only those
packets for which this flag exists, that is, TCP segments where
the segment header contains the SYN flag.

24. Page 24
Ethernet address (6 bytes)
Separators can be a colon (:), dot (.) or dash (-) and can have one
or two bytes between separators
Examples:
eth.dst == ff:ff:ff:ff:ff:ff
eth.dst == ff-ff-ff-ff-ff-ff
eth.dst == ffff.ffff.ffff

25. Page 25
IPv4 address
The common filter will be:
ip.addr == 192.168.0.1
Classless InterDomain Routing (CIDR) notation can be used to
test if an IPv4 address is in a certain subnet.
For example, this display filter will find all packets in the 129.111
Class-B network:
ip.addr == 129.111.0.0/16

26. Page 26
IPv6 address
ipv6.addr == ::1
ipv6.addr == 2041:0000:130F:0000:0000:09C0:876A:130B
ipv6.addr == 2053:0:130f::9c2:876a:130b
ipv6.addr == ::

27. Page 27
Combining Expressions
not ip
tr.dst[0:3] == 0.6.29 xor
tr.src[0:3] == 0.6.29
ip.scr == 10.0.0.5 or ip.src ==
192.1.1.1
ip.src == 10.0.0.5 and tcp.flags.fin
Example
Logical NOT!not
Logical XOR^^xor
Logical OR||or
Logical AND&&and
DescriptionC-LikeShortcut

28. Page 28
Substring Operators
Wireshark allows you to select subsequences of a sequence in rather elaborate
ways. After a label you can place a pair of brackets [ ] containing a comma
separated list of range specifiers.
eth.src[0:3] == 00:00:83
eth.src[1-2] == 00:83
eth.src[:4] == 00:00:83:00
eth.src[4:] == 20:20
eth.src[2] == 83
eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83

29. Page 29
The "Filter Expression" dialog box
Protocol field
to be
checked
Operator to
be performed

30. Page 30
Example #6 – Filter Traffic Between
Hosts
SDSDSD
172.16.100.111
172.16.100.12
Port mirror to be configured
from the laptop, to
The Server port or
The PC port

31. Page 31
Example #7 – Filter Traffic Between
Hosts
ip.addr == 172.16.100.111 and ip.addr == 172.16.100.12

32. Page 32
Example #8 – Filter Traffic Between
Hosts
To ISP
Port mirror to be
configured from the
laptop, to the router port
192.168.101.253

33. Page 33
Example #9 – Filter Traffic Between
Hosts
ip.addr == 192.168.101.253

34. Page 34
Example #10 – Filtering ICMP
icmp

35. Page 35
Example #11 – Filtering Mail Traffic
tcp.port == 110

36. Page 36
Saving a Display Filter
When viewing the saved data, for
saving a display filter go to:
Analyze  Display Filters
And you will get:
Choose a name and save the
filter as defined

37. Page 37
Chapter Content
Capture filters – basics and filter language
Display filters – basics and filter language
Case studies

38. Page 38
Example #12 - DCERPC
DCERPC

39. Page 39
Example #13 - DCERPC
DCERPC
Spoolss runs over DCERPC and therefore
presented under this filter

40. Page 40
Example #14 - Retransmissions
tcp.analysis.retransmission

41. Page 41
Example #15 – Zero Window
tcp.analysis.zero_window

42. Page 42
Summary
For more information, technical data and many examples and case
studies:
http://www.amazon.com/Network-Analysis-Using-Wireshark-
Cookbook/dp/1849517649
Thanks!!!
Yoram Orzach
yoram@ndi-com.com
+972-52-4899699