TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Sabrina Barbey
Webmaster:
Blaise Carrera
WIRESHARK - The Easy Tutorial - Filters

Wireshark Filters
Last update: 10-12-2010




Tool
Tutorial
Ergonomy
Forum



Details What is Wireshark?
Screenshots
Prerequisites
Installation
Launch Wireshark
Platform
Filters
Statistics




If you like our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!


As you can see it in the first Wireshark tutorials, it is extremely easy to install and start Wireshark to analyze the network.

A very common problem when you launch Wireshark with the default settings is that you will get too much information on the screen and thus will not find the information you are looking for.
Too much information kills the information.

That's why filters are so important, they will help us to target, in the prolific logs, the data you are looking for.

-

-
 
Capture filters: Used to select the data to record in the logs. They are defined before starting the capture
Display filters: Used to search inside the captured logs. They can be modified while data is captured.
So should I use the capture or the display filter?

The goals of the two filters are different.
The capture filter is used as a first large filter to limit the size of captured data to avoid generating a log too big.
The display filter is much more powerful (and complex); it will permit you to search exactly the data you want.

The syntaxes of the two types of filters are completely different. We will present them in the following pages:



                       1. CAPTURE FILTERS            2. DISPLAY FILTERS



1. CAPTURE FILTERS

The capture filter syntax is the same as the one used by programs using the Lipcap (Linux) or Winpcap (Windows) library like the famous TCPdump. The capture filter must be set before launching the Wiershark capture, which is not the case for the display filters that can be modified at any time during the capture.

The steps to configure a capture filter are the following:
- select capture -> options.
- Fill the "capture filter" field or click on the "capture filter" button to give a name to your filter to reuse it for subsequent captures.
- Click on Start to capture data.

wireshark capture options

wireshark capture options

Syntax:
Protocol
Direction
Host(s)
Value
Logical Operations
Other expression
Example:
tcp
dst
10.1.1.1
80
and
tcp dst 10.2.2.2 3128
Protocol:
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.

Direction:
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied.
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".

Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".

Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".




Examples:

tcp dst port 3128
Displays packets with destination TCP port 3128.

ip src host 10.1.1.1
Displays packets with source IP address equals to 10.1.1.1.

host 10.1.2.3
Displays packets with source or destination IP address equals to 10.1.1.1.

src portrange 2000-2500
Displays packets with source UDP or TCP ports in the 2000-2500 range.

not imcp
Displays everything except icmp packets. (icmp is typically used by the Ping tool)

src host 10.7.2.12 and not dst net 10.200.0.0/16
Displays packets with source IP address equals to 10.7.2.12 and in the same time not with the destination IP network 10.200.0.0/16.

(src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8
Displays packets with source IP address 10.4.1.12 or source network 10.6.0.0/16, the result is then concatenated with packets having destination TCP portrange from 200 to 10000 and destination IP network 10.0.0.0/8.



Notes:

The backslash "\" sign is used when a keyword is used as a value.
"ether proto \ip" (is equivalent to "ip").
This will target IP protocols.

"ip proto \icmp" (is equivalent to "icmp").
This will target icmp pakets typically used by the ping utility.

The "multicast" and "broadcast" keywords can also be used after "ip" or "ether".
"no broadcast" is useful when you want to exclude broadcast requests.



Check the TCPdump man page for information about the capture filters syntax.
Other capture filters examples can be found in the Wiki Wireshark website.

Top of the page



2. DISPLAY FILTERS:

The display filter is used to search inside captured data obtained with a capture filter.
Its search capabilities are more extended than those of the capture filter and it is not necessary to restart the capture when you need to change your filter.

Syntax: Protocol.
String 1
.
String 2
Comparison operator
Value
Logical Operations
Other expression
Example:
ftp
passive
ip
==
10.2.3.4
xor
icmp.type
Protocol:

A large number of protocols, located between layers two and seven of the OSI model, is available. They can be seen when you click on the "Expression..." button in the main screen.
Some examples are: IP,TCP,DNS,SSH

wireshark filter expression

wireshark filter expression

Supported protocols with a little description can also be consulted as indicated below:

wireshark supported protocols

wireshark supported protocols

The Wireshark website provides explanations about protocols and their sub categories.

String1, String2 (Optional settings):

Sub protocol categories inside the protocol.
To find them, look for a protocol and then click on the "+" character.

wireshark filter expression

Comparison operators:

Six comparison operators are available:

English format:  C like format:  Meaning:
eq 
== 
Equal
ne
!=
Not equal
gt
>
Greater than
lt
<
Less than
ge
>=
Greater or equal
le
<=
Less or equal
Logical expressions:

English format:  C like format:  Meaning:
and
&&
Logical AND
or
||
Logical OR
xor
^^
Logical XOR
not
!
Logical NOT
The logical "XOR" expression, well known by programmers, is used as an exclusive alternation. When used between two conditions in a filter, the result will be printed on the screen only if one of the two conditions is fulfilled but not both like for the "OR" expression.
Let's take an example with the following display filter:
"tcp.dstport 80 xor tcp.dstport 1025"
Only packets with TCP destination port 80 or TCP source port 1025 (but not both!) will be displayed on the screen as the result.




Examples:

snmp || dns || icmpDisplay the SNMP or DNS or ICMP traffics.
ip.addr == 10.1.1.1
Displays the packets with source or destination IP address equals to 10.1.1.1.

ip.src != 10.1.2.3 or ip.dst != 10.4.5.6
Displays the packets with a source IP address different from 10.1.2.3 or with a destination IP different from 10.4.5.6.
In other words, the displayed packets will have:
Source IP address: anything but 10.1.2.3, destination IP address: anything
and
Source IP address: anything, destination IP address: anything but 10.4.5.6

ip.src != 10.1.2.3 and ip.dst != 10.4.5.6
Displays the packets with source IP different from 10.1.2.3 and in the same time with destination IP different from 10.4.5.6
In other words, the displayed packets will have:
Source IP address: anything but 10.1.2.3 and destination IP address: anything but 10.4.5.6

tcp.port == 25 Display packets with TCP source or destination port 25.
tcp.dstport == 25Display packets with TCP destination port 25.
tcp.flagsDisplay packets having a TCP flags
tcp.flags.syn == 0x02Display packets with a TCP SYN flag.
If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red.

wireshark display filter exampleCorrect syntax
wireshark display filter example Wrong snythax
Supplementary information about the display filters can be found on the Wireshark official website or on the Wiki Wireshark website.


Top of the page





If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!