HakTip 121 – Wireshark 101: Expressions Examples
On this week’s episode of HakTip, Shannon Morse gives several expression examples that you can use when working within the Display Filter Box.
Today is all about expression examples. It’s a little weird to work within the boundaries of this little text box, and what it’ll accept. Throughout the years, Wireshark has been updated and so has the syntax of the expressions it’ll accept. Today, I’m using Wireshark v. 1.12.1. I’ll start with some hostname and addressing filters. I ran a Wifi Packet Capture on my network and I want to find all the packets related to a source of xxx.xxx.xxx.xxx. I’ll type ip.src == 192.168.1.180. This tells Wireshark I’m looking for a source IP that is equal to xxx.xx.xxx.xxx. If I change this to ip.src_host I’ll get pretty much the same output. If I change it to ip.addr, I’ll get anything that relates to that IP address, or ip.dst will give me just destination outputs. If you’re on an IPV6 network, change IP to ipv6. And change the IP address to the ipv6 address you’re looking for. It’ll look like 2001:0db8:0000:0000:0000:ff00:0042:8329 with 8 groups of 16 bits each. If you can packet capture using DNS host names, you can type ip.host == nameofthehost. Now try ip.addr == 192.168.1.0/24 and this will show anything on that network within that range.
Since I’m on an ipv4 network, I can also do about a hundred other options… I should mention that it would be incredibly hard to memorize them all, so go to this website for an updated reference.
Moving on, you can just filter by qualifier protocol, in this case being http, arp, udp, tcp, etc etc. I could just type arp or udp or tcp or http etc to just get a listing of everything from that protocol. If I want to search by more than one protocol, I’ll type http && udp or http || arp. And of course I can add ID’s to each of these, such as ip.addr == xxx.xxx.xxx.xxx && tcp.port == 80. Speaking of ports, you can find a tcp port with tcp.port == xx. And lastly, use an expression like this one ip.dst != 192.168.1.1 to filter out any of that IP address. That’s all for now!
Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.
David Moore
I JUST ordered the ALFA USB WiFi AWUS036NEH a couple days before the video and of course had to take advantage of the SNUBS code so ended up finding something extra in the store to use it. Love the show, keep up the good work! ^_^
Hi I am so happy I found your blog page, I really found you by error, while I was researching on Aol for something else,
Nonetheless I am here now and would just like to say thanks a lot for a incredible post and a all
round interesting blog (I also love the theme/design), I don’t have time to
browse it all at the moment but I have bookmarked it and also included your RSS feeds,
so when I have time I will be back to read a great deal more, Please do
keep up the superb b.
Hey! Someone in my Myspace group shared this website with us so I came to check it out.
I’m definitely loving the information. I’m book-marking and will be tweeting
this to my followers! Excellent blog and terrific design.
Hello there, You have done an incredible job. I will
certainly digg it and personally suggest to my friends. I am confident
they will be benefited from this site.
My relatives all the time say that I am wasting my time
here at net, but I know I am getting know-how daily by reading thes pleasant articles.
Currently it seems like Movable Type is the best blogging platform out
there right now. (from what I’ve read) Is that what you’re
using on your blog?