HakTip 121 – Wireshark 101: Expressions Examples
On this week’s episode of HakTip, Shannon Morse gives several expression examples that you can use when working within the Display Filter Box.
Today is all about expression examples. It’s a little weird to work within the boundaries of this little text box, and what it’ll accept. Throughout the years, Wireshark has been updated and so has the syntax of the expressions it’ll accept. Today, I’m using Wireshark v. 1.12.1. I’ll start with some hostname and addressing filters. I ran a Wifi Packet Capture on my network and I want to find all the packets related to a source of xxx.xxx.xxx.xxx. I’ll type ip.src == 192.168.1.180. This tells Wireshark I’m looking for a source IP that is equal to xxx.xx.xxx.xxx. If I change this to ip.src_host I’ll get pretty much the same output. If I change it to ip.addr, I’ll get anything that relates to that IP address, or ip.dst will give me just destination outputs. If you’re on an IPV6 network, change IP to ipv6. And change the IP address to the ipv6 address you’re looking for. It’ll look like 2001:0db8:0000:0000:0000:ff00:0042:8329 with 8 groups of 16 bits each. If you can packet capture using DNS host names, you can type ip.host == nameofthehost. Now try ip.addr == 192.168.1.0/24 and this will show anything on that network within that range.
Since I’m on an ipv4 network, I can also do about a hundred other options… I should mention that it would be incredibly hard to memorize them all, so go to this website for an updated reference.
Moving on, you can just filter by qualifier protocol, in this case being http, arp, udp, tcp, etc etc. I could just type arp or udp or tcp or http etc to just get a listing of everything from that protocol. If I want to search by more than one protocol, I’ll type http && udp or http || arp. And of course I can add ID’s to each of these, such as ip.addr == xxx.xxx.xxx.xxx && tcp.port == 80. Speaking of ports, you can find a tcp port with tcp.port == xx. And lastly, use an expression like this one ip.dst != 192.168.1.1 to filter out any of that IP address. That’s all for now!
Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.