WireShark command line capture filters Highlighted

Latest reply: Feb 18, 2020 09:41:22 137 2 6 0

Hello, community!

Today I will share with you about WireShark command line capture filters.


CaptureFilters

A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/or) and optionally preceded by not:

[not] primitive [and|or [not] primitive ...]


Example 4.1. A capture filter for telnet that captures traffic to and from a particular host

A capture filter for telnet that captures traffic to and from a particular host

tcp port 23 and host 10.0.0.5


Example 4.2. Capturing all telnet traffic not from 10.0.0.5

Capturing all telnet traffic not from 10.0.0.5

tcp port 23 and not src host 10.0.0.5


Capture filter is not a display filter

Capture filters (like tcp port 80) are not to be confused with display filters (like tcp.port == 80). The former are much more limited and are used to reduce the size of a raw packet capture. The latter are used to hide some packets from the packet list.

Capture filters are set before starting a packet capture and cannot be modified during the capture. Display filters on the other hand do not have this limitation and you can change them on the fly.

In the main window, one can find the capture filter just above the interfaces list and in the interfaces dialog. The display filter can be changed above the packet list as can be seen in this picture:

wireshark


Examples

Capture only traffic to or from IP address 172.18.5.4:

host 172.18.5.4

Capture traffic to or from a range of IP addresses:

net 192.168.0.0/24

or

net 192.168.0.0 mask 255.255.255.0

Capture traffic from a range of IP addresses:

src net 192.168.0.0/24

or

src net 192.168.0.0 mask 255.255.255.0

Capture traffic to a range of IP addresses:

dst net 192.168.0.0/24

or

dst net 192.168.0.0 mask 255.255.255.0

Capture only DNS(port 53) traffic

port 53

Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):

host www.example.com and not (port 80 or port 25)
host www.example.com and not port 80 and not port 25

Capture except all ARP and DNS traffic:

port not 53 and not arp

Capture traffic within a range of ports

(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

or, with newer versions of libpcap (0.9.1 and later):

tcp portrange 1501-1549

Capture only Ethernet type EAPOL:

ether proto 0x888e

Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group:

not ether dst 01:80:c2:00:00:0e

Capture only IPv4 traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:

ip

Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:

not broadcast and not multicast

Capture IPv6 "all nodes" (router and neighbor advertisement) traffic. Can be used to find rogue RAs:

dst host ff02::1

Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length.

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420


Useful Filters

Blaster and Welchia are RPC worms. 

Blaster worm:

dst port 135 and tcp port 135 and ip[2:2]==48

Welchia worm:

icmp[icmptype]==icmp-echo and ip[2:2]==92 and icmp[8:4]==0xAAAAAAAA

The filter looks for an icmp echo request that is 92 bytes long and has an icmp payload that begins with 4 bytes of A's (hex). It is the signature of the welchia worm just before it tries to compromise a system.

Many worms try to spread by contacting other hosts on ports 135, 445, or 1433. This filter is independent of the specific worm instead it looks for SYN packets originating from a local network on those specific ports. Please change the network filter to reflect your own network.

dst port 135 or dst port 445 or dst port 1433  and tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) = 0 and src net 192.168.0.0/24

Heartbleed Exploit:

tcp src port 443 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F)  - 4 * ((tcp[12] & 0xF0) >> 4) > 69))



Default Capture Filters

Wireshark tries to determine if it's running remotely (e.g. via SSH or Remote Desktop), and if so sets a default capture filter that should block out the remote session traffic. It does this by checking environment variables in the following order:

Environment Variable

Resultant Filter

SSH_CONNECTION

not (tcp port srcport and addr_family host srchost and tcp port dstport and addr_family host dsthost)

SSH_CLIENT

not (tcp port srcport and addr_family host srchost and tcp port dstport)

REMOTEHOST

not addr_family host host

DISPLAY

not addr_family host host

CLIENTNAME

not tcp port 3389


That is all, thanks!

Best wishes!

  • x
  • convention:

Datawizard
Created Jan 21, 2020 17:06:26 Helpful(0) Helpful(0)

Thanks for sharing
  • x
  • convention:

Alecksy
Created 2 days 09:41 Helpful(0) Helpful(0)

Thank you for the post, very useful information
  • x
  • convention:

~~ Let's put on our thinking caps. Hmm... Ah, I got it! ~~

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login