Wireshark ip from another network. Wireshark Filters
Wireshark is a powerful network analyzer that can be used to analyze traffic passing through your computer's network interface. You may need this to detect and resolve network problems, debug your web applications, network programs, or sites. Wireshark allows you to fully view the contents of a packet at all levels, so you can better understand how the network works at a low level.
All packets are captured in real time and provided in an easy-to-read format. The program supports a very powerful filtering system, color highlighting, and other features that will help you find the packages you want. In this tutorial, we'll look at how to use Wireshark to analyze traffic. Recently, the developers have moved on to work on the second branch of the Wireshark 2.0 program, which has brought in many changes and improvements, especially for the interface. This is what we will use in this article.
Key features of Wireshark
Before proceeding to the consideration of traffic analysis methods, you need to consider what capabilities the program supports in more detail, what protocols it can work with and what to do. Here are the main features of the program:
- Capturing packets in real time from wired or any other type of network interfaces, as well as reading from a file;
- The following capture interfaces are supported: Ethernet, IEEE 802.11, PPP, and local virtual interfaces;
- Packages can be sifted by many parameters using filters;
- All known protocols are highlighted in the list in different colors, for example TCP, HTTP, FTP, DNS, ICMP and so on;
- Support for capturing VoIP calls traffic;
- Supports decryption of HTTPS traffic with a certificate;
- Decryption of WEP, WPA traffic of wireless networks in the presence of a key and handshake;
- Display of network load statistics;
- View packet contents for all network layers;
- Displays the time of sending and receiving packets.
The program has many other features, but these were the main ones that might interest you.
How to use Wireshark
I assume that you already have the program installed, but if not, then you can install it from the official repositories. To do this, type the command in Ubuntu:
$ sudo apt install wireshark
After installation, you can find the program in the main menu of the distribution. You need to run Wireshark with superuser rights, because otherwise the program will not be able to analyze network packets. This can be done from the main menu or through the terminal using the command for KDE:
$ kdesu wireshark
And for Gnome / Unity:
$ gksu wireshark
The main window of the program is divided into three parts, the first column contains a list of network interfaces available for analysis, the second - options for opening files, and the third - help.
Network traffic analysis
To start the analysis, select a network interface, for example, eth0 and click the button Start.
After that, the next window will open, already with a stream of packets that pass through the interface. This window is also divided into several parts:
- Top part- these are menus and panels with various buttons;
- Package List- then the stream of network packets that you will analyze is displayed;
- Package content- just below the contents of the selected package is located, it is divided into categories depending on the transport layer;
- Real representation- at the very bottom, the contents of the package are displayed in real form, as well as in the form of HEX.
You can click on any package to analyze its contents:
Here we see a request packet to DNS to get the ip address of the site, the domain is sent in the request itself, and in the response packet we receive our question, as well as the answer.
For more convenient viewing, you can open the package in a new window by double-clicking on the entry:
Wireshark Filters
It is very inconvenient to go through the packages manually to find the ones you need, especially with an active stream. Therefore, it is better to use filters for such a task. There is a special line under the menu to enter filters. You can click Expression to open the filter constructor, but there are a lot of them, so we'll cover the most basic ones:
- ip.dst- target ip address;
- ip.src- sender's ip address;
- ip.addr- ip of the sender or recipient;
- ip.proto- protocol;
- tcp.dstport- port of destination;
- tcp.srcport- port of the sender;
- ip.ttl- filter by ttl, determines the network distance;
- http.request_uri- the requested website address.
You can use the following operators to specify the relationship between a field and a value in a filter:
- == - equals;
- != - not equal;
- < - less;
- > - more;
- <= - less or equal;
- >= - more or equal;
- matches- regular expression;
- contains- contains.
To combine multiple expressions, you can use:
- && - both expressions must be true for the package;
- || - one of the expressions may be true.
Now let's take a closer look at several filters using examples and try to consider all the signs of relations.
First, let's filter out all packets sent to 194.67.215.125 (losst.ru). Type a line in the filter field and click Apply... For convenience, wireshark filters can be saved using the button Save:
ip.dst == 194.67.215.125
And in order to receive not only sent packets, but also received in response from this node, you can combine two conditions:
ip.dst == 194.67.215.125 || ip.src == 194.67.215.125
We can also select the transferred large files:
http.content_length> 5000
After filtering the Content-Type, we can select all the images that have been uploaded, analyze the wireshark traffic, the packets of which contain the word image:
http.content_type contains image
To clear the filter you can click the button Clear... It happens that you do not always know all the information necessary for filtering, but you just want to study the network. You can add any field of a package as a column and see its contents in the general window for each package.
For example, I want to display the ttl (lifetime) of a packet as a column. To do this, open the packet information, find this field in the IP section. Then call the context menu and select the option Apply As Column:
You can also create a filter yourself based on any desired field. Select the required field and open the context menu, then press Apply as filter or Prepare as filter then choose Selected to display only the selected values, or Not selected to remove them:
The specified field and its value will be applied or, in the second case, substituted into the filter field:
In this way, you can add a field of any package or a column to the filter. There is also this option in the context menu. You can also use simpler conditions to filter protocols. For example, let's analyze Wireshark traffic for HTTP and DNS protocols:
Another interesting feature of the program is the use of Wireshark to track a specific session between the user's computer and the server. To do this, open the context menu for the package and select Follow TCP stream.
Then a window will open in which you will find all the data transferred between the server and the client:
Diagnosing Wireshark Problems
You might be wondering how to use Wireshark 2 to detect network problems. To do this, in the lower left corner of the window there is a round button, when you click on it, a window opens. Expet Tools... In it, Wireshark collects all error messages and network problems:
The window is divided into tabs such as Errors, Warnings, Notices, Chats. The program can filter and find many network problems and here you can see them very quickly. Wireshark filters are also supported here.
Wireshark traffic analysis
You can very easily understand what exactly the users downloaded and what files they viewed if the connection was not encrypted. The program does a very good job of extracting content.
To do this, you first need to stop capturing traffic using the red square on the panel. Then open the menu File -> Export Objects -> HTTP:
It is a very powerful utility that has a lot of functions. It is impossible to put all its functionality in one article, but the basic information provided here will be enough for you to master everything you need to yourself.
While debugging a particular problem, sometimes you may have to analyze the protocol traffic going out and coming into your machine. Wireshark is one of the best tool used for this purpose. In this article we will learn how to use Wireshark network protocol analyzer display filter.
1. Download and Install Wireshark
After downloading the executable, just click on it to install Wireshark.
2. Select an Interface and Start the Capture
Once you have opened the wireshark, you have to first select a particular network interface of your machine. In most of the cases the machine is connected to only one network interface but in case there are multiple, then select the interface on which you want to monitor the traffic.
From the menu, click on ‘Capture -> Interfaces’, which will display the following screen:
3. Source IP Filter
A source filter can be applied to restrict the packet view in wireshark to only those packets that have source IP as mentioned in the filter. The filter applied in the example below is:
Ip.src == 192.168.1.1
4. Destination IP Filter
A destination filter can be applied to restrict the packet view in wireshark to only those packets that have destination IP as mentioned in the filter. For example:
Ip.dst == 192.168.1.1
5. Filter by Protocol
Its very easy to apply filter for a particular protocol. Just write the name of that protocol in the filter tab and hit enter. In the example below we tried to filter the results for http protocol using this filter:
6. Using OR Condition in Filter
This filter helps filtering the packets that match either one or the other condition.
Suppose, there may arise a requirement to see packets that either have protocol ‘http’ or ‘arp’. In that case one cannot apply separate filters. So there exists the ‘||’ filter expression that ORs two conditions to display packets matching any or both the conditions. In the example below, we tried to filter the http or arp packets using this filter:
Http || arp
7. Applying AND Condition in Filter
This filter helps filtering packet that match exactly with multiple conditions.
Suppose there is a requirement to filter only those packets that are HTTP packets and have source ip as ‘192.168.1.4’. Use this filter:
Http && ip.src == 192.168.1.4
8. Filter by Port Number
This can be done by using the filter 'tcp.port eq'. For example:
Tcp.port eq 80
9. Match Packets Containing a Particular Sequence
The filter syntax used in this is: ‘contains’.
Tcp contains 01:01:04
10. Reject Packets Based on Source or Destination
Filter here is ‘ip.src! =’ Or ‘ip.dst! =’.
Ip.dst! = 192.168.1.1
If you enjoyed this article, you might also like ..
If the budget is not allocated, but there are problems, then it remains to stock up on patience and coffee and. In transmission networks, data at speeds of 1 Gbit / s and above the traffic capture buffer fills up instantly and a rather large data array is obtained at the output. This data array, understanding the interaction between different devices on the network, can be filtered by different parameters. For this, Wireshark has several options:
Color coding of erroneous packets - can be customized. Packets that contain an error will be highlighted in the buffer with a special color.
Filter through the filter string. You are experienced with Wireshark and protocols, and you can enter the filter yourself. A large selection of filters can be found.
Select any area in the batch, right click and "Apply as filter". Method for beginners: very convenient, since you don't have to rack your brains.
What are the main filters for displaying traffic?
Wireshark filter by protocol
It is enough to enter the name of the protocol in the filter line and press enter. The screen will display packets that belong to the required protocol. So the filter looks like:
If the capture buffer needs to be filtered by several protocols, then it is necessary to list all the desired protocols and separate them with the || sign. For instance:
arp || http || icmp
Wireshark filter by IP address and filter by MAC
The filter will differ slightly depending on the direction of traffic. For example, we want to filter by sender IP address 50.116.24.50:
ip.src == 10.0.10.163
For the recipient, the filter will look like ip.dst == x.x.x.x, and if we want to see packets regardless of the direction of traffic, then just enter:
ip.addr == 50.116.24.50
If we need to exclude some address from the selection field, then we need to add! =. Example:
ip.src! = 80.68.246.17
If we analyze traffic within the local network and know the user's MAC address, then we can specify his MAC address as a Wireshark filter, for example:
eth.addr == AA: BB: CC: DD: EE: FF
Wireshark filter by port number
When analyzing traffic, we can configure a filter by the port number through which a particular protocol is transmitting traffic. The numbers of all registered ports can be found Example:
As well as with IP and MAC addresses, we can separately filter by ports of receipt or departure tcp. srcport and tcp. dstport. In addition to specifying port numbers, Wireshark provides an excellent opportunity to filter the buffer by flags in the TCP protocol. For example, if we want to see TCP packets with the SYN flag (establishing a connection between devices), then we enter in the search bar:
Popular Filters
The table below lists the most popular filters for displaying the contents of the capture buffer:
|
Filter for display |
Description |
An example of writing |
|
Sender or recipient MAC address |
eth.addr == 00: 1a: 6b: ce: fc: bb |
|
|
Sender MAC address |
eth.src == 00: 1a: 6b: ce: fc: bb |
|
|
Recipient MAC address |
eth.dst == 00: 1a: 6b: ce: fc: bb |
|
|
ARP protocol - destination MAC address |
arp.dst.hw_mac == 00: 1a: 6b: ce: fc: bb |
|
|
arp.dst.proto_ipv4 |
ARP - Recipient IP Version 4 |
arp.dst.proto_ipv4 == 10.10.10.10 |
|
ARP Protocol - Sender MAC Address |
arp.src.hw_mac == 00: 1a: 6b: ce: fc: bb |
|
|
arp.src.proto_ipv4 |
ARP - Sender IP Version 4 |
arp.src.proto_ipv4 == 10.10.10.10 |
|
VLAN ID |
||
|
IP version 4 address of the recipient or sender |
ip.addr == 10.10.10.10 |
|
|
IP version 4 address of the recipient |
ip.addr == 10.10.10.10 |
|
|
Sender IP version 4 |
ip.src == 10.10.10.10 |
|
|
IP protocol (decimal) |
||
|
IP version 6 address of the recipient or sender |
ipv6.addr == 2001 :: 5 |
|
|
Sender IP version 6 |
ipv6.addr == 2001 :: 5 |
|
|
IP version 6 address of the recipient |
ipv6.dst == 2001 :: 5 |
|
|
Receiver or sender TCP port |
||
|
Destination TCP port |
tcp.dstport == 80 |
|
|
Sender TCP port |
tcp.srcport == 60234 |
|
|
UDP destination or sender port |
||
|
Destination UDP port |
udp.dstport == 513 |
|
|
Sender UDP port |
udp.srcport == 40000 |
|
|
vtp.vlan_info.vlan_name |
vtp.vlan_info.vlan_name == TEST |
|
|
bgp.originator_id |
BGP ID (IPv4 Address) |
bgp.originator_id == 192.168.10.15 |
|
Next Hop BGP (IPv4 Address) |
bgp.next_hop == 192.168.10.15 |
|
|
RIP IPv4 address |
rip.ip == 200.0.2.0 |
|
|
OSPF Router ID |
ospf.advrouter == 192.168.170.8 |
|
|
EIGRP Autonomous System Number |
||
|
HSRP virtual IP address |
hsrp.virt_ip == 192.168.23.250 |
|
|
Virtual IP address using VRRP protocol |
vrrp.ip_addr == 192.168.23.250 |
|
|
Wi-Fi sender or receiver MAC address |
wlan.addr == 00: 1a: 6b: ce: fc: bb |
|
|
Wi-Fi sender MAC address |
wlan.sa == 00: 1a: 6b: ce: fc: bb |
|
|
Wi-Fi destination MAC address |
wlan.da == 00: 1a: 6b: ce: fc: bb |
What filters do you most often use in your work?
Well, I hope the previous lessons have gone uphill. I will continue further. Suppose we grabbed a bunch of packages, now we need to find certain data among the set.
I remind you that you can download Wireshark
First of all, let's open an example of traffic (or grab our packets). By the way, here is a library of traffic examples, you can safely download it for study: http://wiki.wireshark.org/SampleCaptures
By the way, there are examples of traffic from infected computers, traces of Trojans and other misfortunes. + I also have a collection of traffic files, if it's interesting - I'll post it in the archive, they weigh a little. By the way, you can infect a computer with some kind of infection yourself (a virtual machine) and catch traffic, I think this is very interesting. And if you have already caught a virus on a real car, contact the professionals: computer help Kiev. Well, let's run on.
So, I downloaded an example of http traffic, the very first one on the list:
We open the search box and see:
This is how you search for packages by specific data.
Well, now let's talk about beauties, namely, raskarska.
In order to open the coloring wizard, select View-> Coloring Rules from the menu
This window will open here:
Add a new element with the NEW button:
For example, I'll now create a highlight rule:
DNS protocol, Response Name contains “google”, write to the filter: dns.resp.name, select “contains” and specify the value “google”. I apply the rule, I make a blue background and a black font.
Our rule is highlighted with an underlined line.
Introduction
When examining network interactions at the level of individual packets, datagrams, segments, and application-level messages, it is often necessary to solve traffic filtering problems. The essence of applying filters is to find and highlight groups, as well as individual transmission units that are of interest for further analysis. This functionality is extremely useful in tools designed to intercept and study network traffic (sniffers), and helps a system administrator or information security specialist find a piece of useful information in the intensive information flows of modern networks.
The open multi-platform considered in this article contains two filter subsystems: traffic interception time (capture filters) and display filters (display filters). As you know, the first subsystem is based on the Pcap (Packet Capture) library rules language. Traffic "cleaning" during its collection, in particular, reduces the number of intercepted packets, thereby saving space in memory or on the hard disk. As for the display filters, they, being a built-in Wireshark function, are designed to "customize" already intercepted traffic in the graphical interface of the program.
About filter languages
The ability to intercept traffic for monitoring and debugging purposes is present in the network stack of any operating system. It is carried out using the so-called Packet Filter, which is part of the system kernel and receives received / sent packets from the network card driver. The most famous packet filters for Unix-like operating systems are BPF (Berkeley Packet Filter) and LSF (Linux Socket Filter).
So, a sample of traffic according to the specified criteria in BPF implemented in the form of a special case-oriented primitive machine language, for which the packet filter actually acts as an interpreter. Programs in this language can extract fragments from packets, compare the received data with given values, check individual bits, perform arithmetic operations, and then accept or discard packets depending on the results of all these tests. The "low-level" approach is useful for programmers developing libraries of network functions and various utilities.
Common users tend to use "high-level" filter languages. A typical application language used in a sniffer to describe traffic rules allows one to construct expression primitives based on individual message fields of various protocols. In this case, the ratio of the field value to a certain value (equal, greater, less), the coincidence of the value with the template, or simply the presence of the field in the message can act as a criterion. Primitives can be combined into a complex expression using logical functions ("and", "or", "not", etc.).
In the open source world, the de facto standard for a filter language is the syntax used in the Pcap library. It is the basis not only for Wireshark, but also for other open source utilities, such as, for example, the tcpdump console sniffer, well-known in the Unix world. Actually, Pcap and tcpdump are a joint project. The popular Snort intrusion detection system also uses the Pcap format to define traffic filtering rules in packet capture mode.
Pcap Filter Basics
So, the filter includes one or more primitives... A primitive usually consists of an object (number or name) and one or more specifiers that define the protocol (ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp, udp), direction (src, dst, any and etc.) and the object type (host, net, port, etc.). For example, to intercept packets in which the outgoing IP address is 192.168.56.102, you should use a filter like this:
Ip src host 192.168.56.102
Or to record ARP traffic involving hosts on the 192.168.56.0 network:
Arp net 192.168.56
Frequently used qualifiers are tabulated (optional components are denoted -, alternative - |, objects -< >). A complete list can be found in the Pcap documentation (on Linux, available in the user manual with the man pcap-filter command).
In order to combine several primitives into one expression, logical functions are used: “and” (denoted by the keyword and or &&), “or” (or or ||), “not” (not or!). For example, to intercept traffic of the SSH protocol for the host 192.168.56.102, the following construction is suitable:
Tcp port 22 and host 192.168.56.102
Use parentheses for very complex expressions. For instance:
Net 192.168.56.0/24 and (tcp port 21 or tcp port 22)
Unlimited Pcap Filters
For those who are accustomed to living by their own rules, the Pcap library provides random access to the contents of network packets, using the full power of the OS packet filter. This is done using a fairly simple syntax:
Proto [exp: size]
where, the proto parameter is one of the protocols supported by Wireshark; exp is the offset in bytes from the start of the layer specified in proto, and size is the number of bytes to retrieve.
Considering that in primitives it is possible to use comparison operations in the notation of the C programming language (>, =,
The example, however, has only methodological meaning, since this protocol is easily filtered by the standard icmp rule.
But selecting HTTP requests made by the GET method from traffic on the fly is not such an easy task for Pcap. And the solution proposed in the documentation claims to be original:
Port 80 and tcp [((tcp & 0xf0) >> 2): 4] = 0x47455420
This filter checks for the bytes "G", "E", "T" and "" (hex values 47, 45, 54, and 20) immediately after the TCP header, the length of which is calculated by the expression "tcp & 0xf0) >> 2".
As you can see from the last example, in addition to comparison operations, binary operators C (+, -, *, /, &, |,>) are also available to the user directly in the primitives.
About display filters
If we talk about the differences display filters from Pcap filters, then in addition to the format for writing specifiers (the protocol fields look like. equal, le - less than or equal) and binary operators (and, or, xor, not), as well as substring support.
Fetching substrings in fields is similar to extracting arbitrary bytes from a packet in Pcap filters, but it has a more flexible syntax. For example, an expression like this will check the first 4 bytes of the original MAC address field of an Ethernet frame (equivalent):
Eth.src [: 4] == 00: 1d: 72: 01
Of course, the difference between filters is that Pcap rules are used when intercepting traffic; in the graphical interface, they are configured in the "Capture options" dialog box (by the way, it is possible to memorize frequently used expressions). Display filters work with packages located in the list of the main program window:
Wireshark's built-in filtering subsystem is much more user-friendly. In particular, there is no need to remember the details of the message format (offsets, field sizes, etc.). The required message field for this protocol can be easily found in the Filter Expression window, and you can also select a condition and a predefined value from the list for this field, or specify your own. For any of the many protocols supported by Wireshark, you can configure a display filter in this simple way.
An almost academic example of determining when a buffer overflow of TCP segments is determined using the following mapping rule is very revealing:
Tcp.window_size == 0 && tcp.flags.reset! = 1
Conclusion
The Wireshark protocol analyzer has a powerful packet filtering system, makes it possible to create complex rules using logical functions and binary operators. Capture time filters are standard and will be familiar to users using Pcap-based networking utilities such as tcpdump. The rules for displaying packages are easy to learn and use, thanks to the capabilities of the graphical interface of the program in question. In general, the functionality of the Wireshark filtering system allows you to take advantage of the low-level packet filter quite effectively.