Top 10 Wireshark Filters // Filtering with Wireshark

Chris Greer

20 Nov 201412:12

Summary

TLDRThis video explores the top 10 Wireshark filters essential for network analysis. It covers key filters for displaying specific IP addresses, protocols, TCP and UDP port numbers, and identifying TCP issues like packet loss. Viewers learn how to refine their trace files by excluding unnecessary protocols and focus on specific TCP streams or keywords within packets. Additionally, it highlights useful HTTP filters and methods for detecting SYN attacks. With practical demonstrations, this guide equips users with the tools to effectively analyze network traffic and troubleshoot performance problems.

Takeaways

😀 Wireshark filters are essential for narrowing down data to focus on relevant packets.
📡 Use 'ip.addr' to filter packets to or from a specific IP address.
🔍 Combine protocols using '||' to display multiple types of traffic at once.
📦 Filter by TCP or UDP port using 'tcp.port' or 'udp.port' for precise analysis.
🚦 Utilize 'tcp.analysis.flags' to identify TCP issues such as packet loss or retransmissions.
🗑️ Exclude unwanted protocols by using the '!' symbol to clean up your view.
🔗 Follow a TCP stream by right-clicking a packet, making it easier to analyze a specific conversation.
🔍 Search for specific text within packets using 'tcp contains [SEARCH_TERM]' to find relevant data.
🌐 Analyze HTTP traffic specifically with 'http.request' and filter for specific response codes.
⚠️ Detect SYN attacks by filtering for incoming SYN packets with 'tcp.flags.syn == 1'.

Q & A

What is the purpose of using display filters in Wireshark?
-Display filters in Wireshark help users isolate specific packets of interest based on various criteria, making it easier to analyze network traffic.
How do you filter packets by a specific IP address in Wireshark?
-To filter packets by a specific IP address, you can use 'ip.addr == <IP_ADDRESS>' for both source and destination, or 'ip.src == <IP_ADDRESS>' for source only, and 'ip.dst == <IP_ADDRESS>' for destination only.
What should you do if the background turns red when typing a filter?
-If the background turns red, it indicates that the syntax entered is incorrect or not recognized by Wireshark.
What is the correct way to filter for multiple protocols in Wireshark?
-To filter for multiple protocols, use the 'or' operator, like 'dns or http', to display packets that match either protocol, rather than using 'and', which requires packets to match both.
What filter would you use to identify TCP issues like packet loss?
-To identify TCP issues, you can use the filter 'tcp.analysis.flags', which shows any TCP problems flagged by Wireshark, such as duplicate acknowledgments or missing segments.
How can you remove unnecessary protocols from your Wireshark view?
-You can remove unnecessary protocols by using the 'not' operator followed by parentheses, like 'not (arp or dns or icmp)', to filter them out from the trace file.
What does the 'follow TCP stream' feature do in Wireshark?
-The 'follow TCP stream' feature allows users to view all packets related to a specific TCP conversation, making it easier to analyze the communication between two endpoints.
How can you filter packets containing specific text in Wireshark?
-To filter for packets containing specific text, use 'tcp contains <text>' or 'udp contains <text>' to find packets with the desired string in their payload.
What filter would you use to check for SYN attacks on a server?
-To check for SYN attacks, you can use the filter 'tcp.flags.syn == 1', which displays all packets with the SYN flag set, allowing you to analyze incoming SYN connections.
How can you filter for HTTP requests and specific response codes in Wireshark?
-You can filter for HTTP requests using 'http.request', and for specific response codes, use 'http.response.code == <code>' (e.g., 'http.response.code == 200' for successful responses).