Wireshark, a tool used for creating and analyzing PCAPs (network packet capture files), is commonly used as one of the best packet analysis tools. Wireshark can run on Windows, macOS, and Linux. To begin installing Wireshark on a Windows or macOS device you will need to first grab an installer from the Wireshark website. Once you have downloaded an installer, simply run it and follow the GUI wizard.
If you are using Linux you can install Wireshark with apt install Wireshark
Filtering Operators
Wireshark's filter syntax can be simple to understand making it easy to get a hold of quickly. To get the most out of these filters you need to have a basic understanding of Boolean and logic operators.
Wireshark only has a few that you will need to be familiar with:
Basic Filtering Syntax
Filtering by IP
ip.addr == <IP Address>
Filtering by SRC and DST IP
ip.src == <SRC IP Address> and ip.dst == <DST IP Address>
Filtering by TCP Protocols
tcp.port eq <Port #> or <Protocol Name>
Filtering by UDP Protocols
udp.port eq <Port #> or <Protocol Name>
Show only SMTP (port 25) and ICMP traffic:
tcp.port eq 25 or icmp
Show only traffic in the LAN (192.168.x.x), between workstations and servers
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
Show HTTP or DNS traffic:
http or dns
Show all traffic except ARP, ICMP and DNS:
!(arp or icmp or dns)
Interface Filters
Show packets only sent or received on the wlan0 interface:
frame.interface_name == "wlan0"
Link Layer Traffic
To show ARP traffic:
arp
how ARP protocol frames sent from device with MAC address 00:c0:ca:96:cf:cb:
arp.src.hw_mac == 00:c0:ca:96:cf:cb
Show ARP protocol frames sent from a device with an IP address 192.168.50.90:
arp.src.proto_ipv4 == 192.168.50.90
Show ARP protocol frames sent to a device with a MAC address 00:00:00:00:00:00 (this address is used when the protocol tries to find out the target MAC address.
arp.dst.hw_mac == 00:00:00:00:00:00
Show ARP protocol frames sent to the device having the IP address 192.168.50.1:
arp.dst.proto_ipv4 == 192.168.50.1
Show Ethernet traffic
eth
Show frames (in general, all frames, not just ARP, as it was in the previous examples) sent from a device that has the MAC address 00:c0:ca:96:cf:cb:
eth.src == 00:c0:ca:96:cf:cb
Show frames sent to device with MAC address 78:cd:8e:a6:73:be:1
eth.dst == 78:cd:8e:a6:73:be
Internet Layer Traffic
IPv4 Protocol Filtering
Show IP traffic (this includes TCP, UDP, as well as application layer protocols DNS, HTTP - that is, almost everything except the data link layer protocols that do not use IP addresses for data transmission (in local Ethernet networks they use MAC addresses)):
ip
Show traffic associated with a specific IP address (enter it instead of x.x.x.x). Packets will be shown in which this IP address is the source of the data OR the recipient:
ip.addr == x.x.x.x
Show traffic associated with these two IP addresses. According to the only possible situation, one of these addresses is the source, and the second is the destination address.
ip.addr == x.x.x.x && ip.addr == y.y.y.y
Show traffic originated from the host with the IP address 138.201.81.199:
ip.src == 138.201.81.199
Show traffic whose destination is the host with the IP address 138.201.81.199:
ip.dst == 138.201.81.199
Filter subnets and IP ranges in Wireshark
You can specify a subnet instead of a single IP address:
ip.addr == 192.168.1.0/24
Filtering traffic sent from a specific IP range. If you need to filter out traffic whose source is the subnet, then use a filter of the form:
ip.src == 192.168.1.0/24
Filtering traffic destined for sending to a specific IP range. If you need to filter traffic whose destination is a subnet, then use a filter of the form:
ip.dst == 192.168.1.0/24
Application layer traffic
For the application protocols of HTTP, DNS, SSH, FTP, SMTP, RDP, SNMP, RTSP, GQUIC, CDP, LLMNR, SSDP there are filters that are called like the protocols themselves, but are written in small letters.
For example, to see HTTP traffic:
http
To see the traffic of the new HTTP/2 protocol:
http2
NOTE: Remember that when deciding which protocol the transmitted data belongs to, the program considers the used port number. If a non-standard port is used, the program will not be able to find the necessary data. For example, if you connect to SSH on port 1234, the ssh filter will not find SSH traffic.
A filter that shows only the data sent by the POST method:
http.request.method == "POST"
A filter that shows only the data transmitted by the GET method:
http.request.method == "GET"
Search for requests to a specific site (host):
http.host == "<URL>"
Search requests to a specific site by part of the name:
http.host contains "here.particle.name"
Filter for outputting HTTP requests in which cookies were transmitted:
http.cookie
Requests in which the server has set cookies in the user's browser.
http.set_cookie
To search for any transferred images:
http.content_type contains "image"
To search for certain types of images:
http.content_type contains "gif"
http.content_type contains "jpeg"
http.content_type contains "png"
To search for files of a specific type:
http.content_type contains "text"
http.content_type contains "xml"
http.content_type contains "html"
http.content_type contains "json"
http.content_type contains "javascript"
http.content_type contains "x-www-form-urlencode"
http.content_type contains "compressed"
http.content_type contains "application"
Search for requests for files of a certain type. For example, to search for transferred ZIP archives:
http.request.uri contains "zip"
Instead of http.request.uri for greater accuracy, you can use the http.request.uri.path or http.request.uri.query filters, for example, to search for requests to download JPG files (links to pictures):1
http.request.uri.path contains "jpg"
You can also filter requests that contain a specific HTTP REFERRER header value. For example, to search for queries in which the referrer is ru-board.com:
http.referer contains "ru-board.com"
To investigate problems, you can analyze the status of HTTP response codes. For example, the following filter will show traffic for which a 404 Not Found error was received (page not found):
http.response.code==404
you can use the filter without specifying the desired value, for example:
http.host
In this case, all connections with any Host field value in the HTTP header will be shown.
You can specify the exact value:
http.host == "www.archlinux.org"
Or specify part of the desired string:
http.host contains "archlinux.org"
Filter by Host field in HTTP header:
http.host == "www.archlinux.org"
Filter by the Content-Type field in the HTTP header:
http.content_type == "text/plain"
Filter by Server field in HTTP header:
http.server == "nginx"
Filter by Cookie field in HTTP header:
http.cookie
http.cookie_pair
Filter by User Agent field in HTTP header:
http.user_agent == "Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
To search for redirects (Location field):
http.location
To search for sites from which a transition was made to the page (Referer field):
http.referer contains "sysnetnotes.blogspot.com"
Request filter:
http.request
http.request.uri
http.request.uri.path
http.request.uri.query.
http.request.uri.query.parameter
http.request.method
Response filters:
http.response
Search by response code:
http.response.code == 404
http.response.code==200
In fact, this list is far from complete. You can use the hints that appear as you type the names of the filters, or you can be guided by the names of the HTTP header fields, which are similar to the names of the filters.
Detecting Network Attacks with Wireshark
This section contains Wireshark filters that could help in identifying adversaries trying to find alive systems on our network.
Using these filters we should be able to detect various network discovery scans, ping sweeps and other things typically done during reconnaissance (asset discovery) phase.
| Technique | Wireshark Filter | Command / Tool |
|---|
| ARP scanning | arp.dst.hw_mac==00:00:00:00:00:00 | arp-scan -l |
| IP protocol scan | icmp.type==3 and icmp.code==2 | nmap -sO <target> |
| ICMP ping sweep | icmp.type==8 or icmp.type==0 | nmap -sn -PE <subnet> |
| TCP ping sweeps | tcp.dstport==7 | nmap -sn -PS/-PA <subnet> |
| UDP ping sweeps | udp.dstport==7 | nmap -sn -PU <subnet> |
Detection of network port scanning
| Technique | Wireshark Filter | Command / Tool |
|---|
| TCP SYN scan | tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size<=1024 | nmap -sS <target> |
| TCP Connect() scan | tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size>1024 | nmap -sT <target> |
| TCP Null scan | tcp.flags==0 | nmap -sN <target> |
| TCP FIN scan | tcp.flags==0x001 | nmap -sF <target> |
| TCP Xmass scan | tcp.flags.fin==1 && tcp.flags.push==1 && tcp.flags.urg==1 | nmap -sX <target> |
| UDP port scan | icmp.type==3 and icmp.code==3 | nmap -sU <target> |
Detection of network attacks
| Technique | Wireshark Filter | Command / Tool |
|---|
| ARP poisoning | arp.duplicate-address-detected or arp.duplicate-address-frame | arpspoof, ettercap |
| ICMP flood | icmp and data.len > 48 | fping, hping |
| VLAN hoping | dtp or vlan.too_many_tags | frogger, yersinia |
| Unexplained packet loss | tcp.analysis.lost_segment or tcp.analysis.retransmission | n/a |
