Wireshark Filters - Important To Know For Network Security Professional

Wireshark is a most popular software, which widely used for network traffic analysing. This software is developed in C & C++ programming language by Gerald Combs in 1998. It lets you see what’s happening on your network at a microscopic level.  Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe.

You can download latest version of Wireshark from their....
official website -  

https://www.wireshark.org/#download

Wireshark / TShark software has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats.
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text

When we are talking about analysing network traffic it contains very large amount of packets and to view or display particular traffic it can be difficult for administrator to simplify this Wireshark are providing so much filter to find the information you need. Using Wireshark display filters, you can search for specific traffic or filter out unwanted traffic. This makes it much easier to analyze the packet capture and find the information you need.

The filters of Wireshark can be complex. There are so many types of filter we can apply to network traffic.

Below is a list of filters that often helpful for filtering network traffic & used by many administrator.

* Filter network traffic by specific IP address.

ip.addr==192.168.10.5

--This will display all traffic for the entered IP Address whether it is in source or destination.

* Filter network traffic by specific source IP address.

ip.src==192.168.10.5

--This will filter network traffic for the entered specific source IP Address.

* Filter network traffic by specific destination IP address.

ip.dst==192.168.10.5

--This will filter traffic for the entered specific destination IP Address.

* Filter traffic by network address.

ip.addr==192.168.15.0/24

--This will filter network traffic for the entered subnet, including source & destination. If you want to filter by specific source network, use below filter-

ip.src==192.168.15.0/24

if you want to filter by specific destination network, use below -

ip.dst==192.168.14.0/24

* Filter traffic based on protocol.

--To filter and display network traffic for the specific protocol just type in the name of the protocol in the filter box. For example to display all DNS traffic just type DNS in the filter box.
Some other common protocols you could filter on: arp, http, ftp, smtp, ssh, telnet, bootp, icmp.

* Filter traffic excluding specific IP address.

!ip.dst==192.168.10.5

--If you don't want to display traffic from specific IP or Network you could use this filter to excluding entered IP address or network.

*  Show communication traffic between two devices or network.

ip.addr==192.168.15.0/24 and ip.addr==192.168.11.0/24

--The above filter will show you only traffic between entered the two networks.


ip.addr==192.168.11.5 and ip.addr==192.168.10.10

--The above filter will show you only traffic between entered the two machine or devices.

* Filter traffic by specific MAC address.

eth.addr==00-50-56-C0-00-08

--The above filter will only show you traffic of entered MAC Address.

* Filter traffic by TCP Port.

tcp.port==443

--If we filter network traffic by above mentioned filter it will only display network traffic which is tcp port number 443 i.e. https mentioned in the source or destination.

tcp.srcport==80

-- Above filter will only display network traffic by tcp source port 80

tcp.dstport==443

-- Above filter will only display network traffic by tcp destination port 443

* Filter traffic by background network noise.

There are several protocols that can be generate huge amount of network traffic which is unnecessary many times, Sometimes we need to exclude these protocol traffic so you can focus on other traffic.

!(arp or dns)

--This will filter remove arp and DNS traffic.

* Filter traffic by Port & IP address.

tcp.port==443 && ip.addr==192.168.10.5

--If you want to see traffic from a certain IP on a specific port use this filter. This will show only port 443 (https) that has IP 192.168.10.5 in the source or destination.



Above mentioned filters are very basic & which should known to any administrator. In upcoming  post i'll share a video with you, contain more essential filters of Wireshark. Those filters will help you to understand network attacks so subscribe to our blogspot right now to get notification of upcoming post.

If you want to be a Expert in Network Monitoring or Wireshark, you can Check Out Our Course 

Share this post & Comment below your suggestion

www.arizonainfotech.com