How to spy on Wireshark? Traffic analysis. Filters Wireshark Filters for Wi-Fi frames

Wireshark is an advanced network analyzer that can be used to analyze the traffic that passes through the network interface of your computer. It may be necessary to identify and solve problems in the network, improve your web add-ons, software and sites. Wireshark allows you to re-examine the package at all levels, so you can better understand how to practice the network at a low level.

All packets are converted in real time and in a handy format for reading. The program will further enhance the filtering system, color matching and other features, as it will help you to know the required packages. In these instructions, we can see how Wireshark is used to analyze traffic. Recently, the retailers switched to working on another silly Wireshark 2.0 program, and impersonal changes and improvements were made to it, especially for the interface. Itself її mi vikoristovuvatimemo at tsіy statti.

Wireshark Core Capabilities

Before that, let's move on to reviewing the methods for analyzing traffic, it is necessary to look at how possible it is to support the report program, with which protocols you can practice and work. Axis of the main capability of the program:

• Storage of packets at the real time from a dart port of a different type of meshed interfaces, and start reading from a file;
• The following interfaces are supported: Ethernet, IEEE 802.11, PPP and local virtual interfaces;
• Packages can be changed for anonymous parameters for additional filters;
• All types of protocols are displayed in the list with different colors, for example, TCP, HTTP, FTP, DNS, ICMP and so on;
• Support for capturing traffic VoIP calls;
• Decryption of HTTPS traffic is supported for the presence of the certificate;
• Decryption of WEP, WPA traffic of wireless networks for the presence of the key and handshake;
• display of statistics on the merger;
• Pereglyad vm_stu paktіv for all equal measures;
• Seeing the hour of strengthening that otrimannya packets.

The program has no other functions, but only the main ones, they can inspire you.

Yak koristuvatisya Wireshark

I'm assuming you already have the program installed, but if not, you can install from the official repositories. For which type command in Ubuntu:

$ sudo apt install wireshark

Once installed, you can find the program at the main menu of the distribution. You need to run Wireshark with supercorrect rights, otherwise the program can't analyze networked packets. You can start from the main menu or via the terminal for additional commands for KDE:

$ kdesu wireshark

And for Gnome/Unity:

$ gksu wireshark

The main window of the program is divided into three parts, the first column contains a list of interfaces available for analysis, another option for opening files, and the third column is for help.

Analysis of merging traffic

To start the analysis, choose a mesh interface, for example, eth0 and press the button start.

If this happens, it will come and go with the flow of packets, as they pass through the interface. The price is also divided into sprat parts:

• Upper part- the same menu and panel with different buttons;
• List of packages- let's see the flow of loose bags, like you analyze;
• Included in the package- trochs lower than rozashovaniya vmіst vibrannogo package, vіn razbity for categories fallow vіd transport rіvnya;
• Real Appearance- at the very bottom, you can see the package in the real view, as well as in the HEX view.

You can click on any package to analyze it all together:

Here we will send the packet to the DNS, to take the ip address of the site, in the request itself we superimpose the domain, and in the packet we will take our power, as well as the request.

For a better review, you can open the package at the new window by clicking on the entry:

Wireshark filters

Sorting out the packages by hand, to know what you need is not handy, especially with active potency. Therefore, for such a task, it is better to vicorate the filter. For the introduction of filters under the menu, there is a special row. You can type in an Expression to open the filter constructor, but there are a lot of them, so we look at the head:

• ip.dst- number ip address;
• ip.src- IP addresses of the manager;
• ip.addr- ip of the manager of the owner;
• ip.proto- Protocol;
• tcp.dstport- port of acceptance;
• tcp.srcport- port of the source;
• ip.ttl- filter by ttl, determines the border line;
• http.request_uri- Requested site addresses.

To match the value between the field and the filter values, you can select the following operators:

• == - one;
• != - not healthy;
• < - less;
• > - More;
• <= - less or less expensive;
• >= - more or less;
• matches- regular expression;
• contains- Revenge.

To reduce the number of viruses, you can stop:

• && - resentment with respect to a package;
• || - we can but we will take one of the viraziv.

Now let's take a look at the butts of the filter sprat and try to look at all the signs of the vodnosin.

We filter all packets forwarded to 194.67.215.125 (losst.ru). Dial a row at the filter field and press apply. For clarity, wireshark filters can be saved for the help button Save:

ip.dst == 194.67.215.125

And in order to take away not only the dispatched packets, but also to take away from the source in the same university, you can use two minds:

ip.dst == 194.67.215.125 || ip.src == 194.67.215.125

We can also select large files:

http.content_length > 5000

After filtering the Content-Type, we can select all the pictures, if they are interested, we can analyze the wireshark traffic, packets of which the word image:

http.content_type contains image

To clear the filter, you can press the button Clear. You don't know all the information you need for filtering, but you just want to keep it simple. You can add whether the field of the package is like a column and look at it instead of the main window for the skin package.

For example, I want to display the ttl (hour of life) columns of the package. To enter information about the package, you need to know the field in the IP section. Then click the context menu and choose an option Apply As Column:

It is also possible to create a filter on the basis of any useful field. Select field and click context menu, then click Apply as filter or Prepare as filter, then choose Selected sob to enter less than the selected value or Not selected, to clean them up:

The specified field will have its own value, or it will be presented in another way next to the filter field:

In this way, you can add a field to the filter, whether it is a package or a column. There is also an option in the context menu. For filtering the protocols, you can win and just think. For example, we can analyze Wireshark traffic for HTTP and DNS protocols:

One more program possibility is the Wireshark wiki for running a singing session between a computer and a server. For which, open the context menu for the package and select Follow TCP stream.

Let's check it out victoriously, in which you will know all the data transferred between the server and the client:

Diagnosing Wireshark Issues

Perhaps, you tsіkavo, how Wireshark 2 can be used to identify problems in the merezhі. For this, in the left lower fold, there is a round button, when pressed on it, the window opens Expert Tools. New Wireshark collects all the information about pardons and problems in the merezhі:

The window is divided into such tabs as Errors, Warnings, Notices, Chats. The program allows you to filter and know the impersonal problems from the border and here you can do more than that. Wireshark filters are also added here.

Wireshark traffic analysis

You can simply understand that you yourself were fascinated by the coristuvachi and that the files stink and marveled that the day was not encrypted. The program does a good job of managing content.

For this reason, it is necessary to shovel traffic behind the help of a red square on the panel. Let's open the menu File -> Export Objects -> HTTP:

This utility is too hard, because it can have a lot of functions. All functionality cannot be placed in one article, but the basic information provided will be sufficient enough so that you can learn everything you need yourself.

In order to follow up the behavior of the related add-ons and nodes, as well as to detect problems in the robotic measure, one often goes to analyzers of the related packages. The key features of such software are, firstly, the feasibility of various analytics, and in another way, the rich functional filtering of packages, which allows you to visualize the richness of information in an uninterrupted flow of traffic. The remaining aspect i is assigned to the article.

Entry

Three of the best methods of computer analysis of traffic analysis, perhaps, are the most laborious and laborious. Intensive streams of current merezh give rise to a lot of “raw” material, it is far from easy to know in some basic information. Within an hour of its foundation, the TCP/IP stack was filled with numerous additions and additions, hundreds of thousands of them. All application and service protocols, protocols for authentication, tunneling, access to the measure only. It is necessary to be familiar with all protocol differences and practice with specific software tools - sniffers, or, in a scientific way, analyzer.

The functionality of the sniffer is not only the possibility of using the “unintelligible” (promiscuos) mode of the robotic card for overriding. Such software is responsible for efficiently filtering traffic as at the stage of collection, so at the same time for the first few transmissions (frames, packets, segments, datagrams, alerts). Moreover, more protocols sniffer "know" is shorter.

Modern protocol analyzers have a lot of things to do: analyze traffic statistics, draw graphs of the progress of merging interactions, take data from applied protocols, export the results of work in various formats... Therefore, tools for analyzing metric traffic are a topic for a good review. If you don’t know what to choose, or if you don’t want to spend money on a paid software, then hurry up with a simple joy: install Wireshark.

Familiarize yourself with filters

Wireshark supports two types of filters:

• traffic overflow (capture filters);
• display filters.

The first subsystem was removed by Wireshark from the fallout of the Pcap library, which provides a low-level API for robotic interfacing. Selecting traffic for a long time and an hour of overcrowding allows you to save operative memory and space on a hard drive. The filter is a virase, which is composed of a group of primitives, if necessary combined by logical functions (and, or, not). This virus is recorded in the Capture Filter field of the Capture options dialog box. The greatest possible filter cohabitation can be taken from the profile for re-matching (Fig. 1).

Rice. 1. Filter profile

The language of filters is standard for the Open Source world and there are a lot of Pcap-based products (for example, the tcpdump utility or the Snort intrusion detection/deterrence system). Therefore, there is no particular sense here to describe the syntax; And you can look at the details in the documentation, for example, in Linux on the side of the pcap-filter(7) advanced encryption.

Filters are used by the same traffic and are “common” for Wireshark. Vіdminnosti vіd Pcap - in the format of the record (zocrema, as a distributor of water, there is a point); also add the English notation in the operations of reconciliation and subdivision of subdivisions.

You can enter a filter for displaying right at the input field (respect, use the prompt list, what to select) of the main screen of the program after the “Filter” button (before speech, under the button, enter a profile for frequently selected responses). And if you press the “Expression…” button nearby, then a richly functional Viraz constructor will appear (Fig. 2).

Livoruch (Field Name) is presented in alphabetical order of the field tree of the protocols, as if in Wireshark. For this field, you can enter a logical operator (Relation), enter a value (Value), enter a range (Range) or select a value from the list (Predefined Value). Zagalom, Povna Merezheva encyclopedia in one vіknі.

The axis of the logical operators, which are victorious at the filters of the display:

• and (&&) - "І";
• or (||) - "ABO";
• xor (^^) - which includes "ABO";
• not(!) - not listed;
• [...] - a selection of a contract. # Filtering for the MAC address of your merging adapter, including all local traffic not (eth.addr eq aa:bb:cc:22:33:44) # Remove all "service noise" to concentrate on traffic, scho us!( arp or icmp or dns)

Well, before the selection of a contract, we don’t call for a logical operation, but even more a corny option. Vaughn allows you to take away a single part of the sequence. For example, in this way it is possible to win at the first line (the first number at the square arches is used) three bytes (the number after the two-fold - the second last) of the MAC-address field of the dzherel:

Eth.src == 00:19:5b

One of the parameters can be omitted for vibrators with a two-fold pattern. If you miss the appointment, then the vibirka will start from a zero byte. Like a dovzhina, then we take all the bytes from the adoption to the end of the field.

Before speech, manually select the order to detect malware in the dropdown, so you can see the sequence of bytes that go after the header (for example, "0x90, 0x90, 0x90, 0x04" in the UDP packet):

udp == 90:90:90:04

Matching operations that are victorious in logical lines:

• eq (==) - one;
• ne (!=) - not one;
• gt (>) - more;
• lt (<) - меньше;
• ge (>=) - more than one;
• le(<=) - меньше или равно.tcp.dstport ne 8080 && tcp.len gt 0 && data eq A0

Vlasne, I’ll finish the theory enough. Gave vikoristovuy healthy eyes and bows for the need and without it. Also, do not forget that the filter is essentially a logical one: if it is true, then the package will appear on the screen, if not badly - not.

Pcap-filter for detecting scanning of Netbios-ports

Shukaёmo vkradacha IP-addresses

In the segment of local networks, trap (for other reasons) gains the IP address of two and more nodes. The method of “vilovu” (defining the MAC address) of the conflicting systems of the home: we launch a sniffer on the third computer, cleanly the ARP cache, and stimulate it to send the MAC to the stupid IP, for example, propping it up:

# arp -d 192.168.56.5 # ping -n -c 1 192.168.56.5

And then we'll joke to the overswept traffic, from some MAC's they came in good faith. Like Wireshark, having caught a lot of packages, we create a filter for the help of the designer. In the first part of the virase, select ARP-Vidpoly, in the other part - those notes, in which IP-addresses are shown to the best friend. Primitivities are combined with the operator &&, for that it is necessary, so that insults were washed away at once:

(arp.opcode == reply) && (arp.src.proto_ipv4 == 192.168.56.5)

Until then, the computer network did not suffer any damage to this scenario, because two Oracle VirtualBox virtual machines and a network connected to the “Virtual Host Adapter” type were defeated.

Inspection of fencing and transport lines

Until this hour, the ICMP protocol is denied by an effective way of diagnosing the merged stack. In addition to the protocol, you can take valuable information about the problems of the measure.

As you already knew, filtering ICMP from Wireshark is easy. Enough for the filtering row in the main window of the program to write: icmp. Crim icmp, use and many other keywords, which are protocol names, for example arp, ip, tcp, udp, snmp, smb, http, ftp, ssh and others.

Although ICMP traffic is rich, you can display details, including, for example, echo requests (type 0) and echo requests (type 8):

Icmp and ((icmp.type ne 0) and (icmp.type ne 8))

On fig. 4 readings of a small selection of ICMP alerts, created by a test Linux router. Announcement "Port Unreachable" sound victorious for the lock. It is generated by the stack when UDP datagrams are sent to the port, which does not win. A virtual router based on Debian, having started to update Host unreachable and Communication administratively filtered, I had a chance to tinker with it. For Cisco, please call for information about administrative filtering. Notification "Time-to-live exceeded" to talk about the presence of a loop on such a distance of a merezhі (well, if a route is routed, such packets can also appear).

Before speech, about intermediary screens. You can create rules for popular firewalls directly from Wireshark by using the Firewall ACL Rules item of the Tools menu. In advance, you need to select a package, information about what will be selected. Available standard Cisco ACL extensions, UNIX-like product rules IP Filter, IPFirewall (ipfw), Netfilter (iptables), Packet Filter (pf), and Windows Firewall (netsh).

And now briefly about the basics of filtering on the borderline, the basis for setting the IP packet header fields - the address of the manager (ip.src) and the address of the owner (ip.dst):

(ip.src == 192.168.56.6) | (ip.dst == 192.168.56.6)

So, we have all the packets, they took them away or they sent them to the IP address. You can filter the number of pidmerezh by using the CIDR notation of the mask entry. For example, we can see the infection of the host, which is the spam extension (here 192.168.56.251 is the IP address of our SMTP server):

ip.src == 192.168.56.0/24 and tcp.dstport == 25 and !(ip.dst == 192.168.56.251)

Before speech, for the selection of MAC addresses, follow the selection of primitives eth.src, eth.dst and eth.addr. Other problems of the treadmill line are related to the Ethernet-line, below the theory. Zocrema, when the routing is set up, it will be strangely surprised, at the MAC address of some router, the vperty vuzol sends packets. Vtіm, for such a simple task, for the eyes, download the tcpdump utilities, which are practically standard for UNIX-like systems.

There are no power supplies for Wireshark port filtering. For TCP to your services the keywords are tcp.srcport, tcp.dstport and tcp.port, for UDP - udp.srcport, udp.dstport and udp.port. True, the introduced Wireshark movie filters did not have an analogue to the port primitive in Pcap, which designates a UDP port, as well as TCP. Ale ce is easy to correct for the help of a logical virase, for example:

tcp.port == 53 || udp.port == 53

Improvise with HTTP traffic

Applied protocols, the HTTP framework, is the same “eternal” topic in sniffing. To be fair, it needs to be said that a lot of specialized software has been created to keep the web traffic going. And yet such a universal tool, like Wireshark, with a soft filtering system on this field, is not applicable.

For the cob we take a little bit of web traffic by going to the first site that comes to mind. Now we will look into the details of the TCP protocol, which is the transport for HTTP, the riddles of a beloved Internet resource:

Tcp contains "site"

The contains operator checks the presence of the order in the given field. In addition to the matches operator, it is also possible to win Perl-summ_snі regular virazi.

At the end of "Filter Expressions", obviously a good helper, but for an hour or so he gorged on a long list in searches of the required field even more. More simple way to create/modify filters: for additional context menu when viewing packages. For this, you just need to right-click on the field to click, and select one of the sub-items in the “Apply As Filter” item or the “Prepare a Filter” item. For the first time, you will change your mind at once, and in another, you will be able to correct the viraz. "Selected" means that the value of the field will become a new filter, "Not Selected" - the same ones, only those that are not listed. Points that start with “...”, add the value of the field to a clear view of the improvement of logical operators.

Combining different features of the Wireshark graphical interface and knowing the specifics of the HTTP protocol, you can easily fine-tune the traffic to the required level in the main window of the program.

For example, to see how the image appears, the browser asks the web server when shaping the side, a filter is useful that analyzes the server URI that is transmitted:

(http.host eq "www..request.uri contains ".jpg#26759185") or (http.request.uri contains ".png#26759185"))

The same, but with different matches:

(http.host eq "www..request.uri matches ".jpg|.png#26759185")

I realized that the fields for revisiting the protocols in different equals can be boldly mixed in one view. For example, in order to recognize, like pictures of data, the server passed the client to the client, victoriously, the address of the IP packet and the “Content-Type” field of the HTTP-type:

(ip.src eq 178.248.232.27) and (http.content_type contains "image")

And for the help of the “Referer” HTTP request field, you can recognize from which servers the browser takes content when forming the side of the site you love:

(http.referer eq "http://www..dst eq 178.248.232.27))

Let's take a look at the sprat of filters-corisniks. To select traffic from HTTP requests, spawned using the GET method, you can speed up with the following virase:

Http.request.method == GET

On the applied level, the filters show themselves in all their beauty and simplicity. For the sake of equalization: for example, to break the task for the help of Pcap, it would be possible to fix such a three-surface construction:

Port 80 and tcp[((tcp & 0xf0) >> 2):4] = 0x47455420

To clarify, if www-connection is to set the host 192.168.56.8 to the first hour interval (let's say, on the afternoon of a break), behind the frame.time primitive:

tcp.dstport == 80 && frame.time >= "Yan 9, 2013 13:00:00" && frame.time< "Yan 9, 2013 14:00:00" && ip.src == 192.168.56.8

Well, I’m guessing the URI of the request, which will replace the words "login" and "user", plus "guessing" passwords:

Http.request.uri matches "login.*=user" (http contains "password") || (pop contains "PASS")

Overriding SSL Content

The main scourge of the legacy of merging traffic is encryption. And if you have a password file with a certificate (before speaking, take care of it like the thumb of an eye), then you can easily recognize which resource is worthy in SSL sessions. For which it is necessary to specify the server parameters and the certificate file in the settings for the SSL protocol (the Preferences item of the Edit menu, select SSL on the left hand side of the list of protocols). PKCS12 and PEM formats are supported. In the rest of the session, you need to remove the password from the file with the commands:

openssl pkcs12 -export -in server.pem -out aa.pfx openssl pkcs12 -in aa.pfx -out serverNoPass.pem --nodes

INFO

The monitoring of traffic for monitoring and the monitoring of network traffic is done by a packet filter. The packet filter enters the warehouse of the kernel of the operating system and removes the merged packets from the merging card driver.

Packet filter applications for UNIX-like OS are BPF (Berkeley Packet Filter) and LSF (Linux Socket Filter). In BPF, filtering is implemented on the basis of a case-oriented primitive machine movie, which is the BPF interpreter.

Analyze traffic from distant hosts

Windows servers can work not only with computer interfaces, on which Wireshark launches, but also collect traffic from remote machines. For which there is a special service (Remote Packet Capture Protocol) from the supplied WinPcap library. You need to add it to the service management snap-in (services.msc) first. Now, having launched Wireshark on a remote computer, you can connect to that node, to which service the remote traffic is processed (for locking the victorious port 2002), and the RPCAP protocol data will flow to you.

I will also bring options for connecting to the home * nix-router “call” for remote traffic analysis:

$ssh [email protected]"tshark -f "port !22" -i any -w -" | wireshark -k -i -$ssh [email protected] tcpdump -U -s0 -w - "not port 22" | wireshark -k -i -

Must have tool

Wireshark is a widely used cross-traffic and interactive traffic analysis tool, de facto the standard for industry and intelligence. Licensed under the GNU GPLv2 license. Wireshark uses more protocols, a graphical interface based on GTK+, an advanced traffic filtering system, and a Lua movie interpreter for creating decoders and coders.

Vityagti brown vantage

In singing stakes, there are widely used special tools that allow you to “tighten” the traffic of the end information objects: files, images, video and audio content and more. The troublesome analytic subsystems, Wireshark, for the sake of too much functionality, look for the Save Payload button in the analysis windows….

Visnovok

On the smoldering flood of the computer underground, fed by the security of the network programs, the monumental problems of the lower levels step by step go to another plane. Zrozumіlo, scho fringes and transport rivnі vvchenі and doslіdzhenі vzdovzh that across. Ale bet in the fact that fahіvtsі, like growing on SQL-іn'єktsіyah, cross-site scripting and inclusions, do not suspect about the great ball, attachments under the tip of the iceberg, and often give in to, it would seem, elementary problems.

The sniffer, similar to the driver and disassembler, shows the details of the system's functioning in the most detailed. Having installed Wireshark and having shown the rightness of the deac, you can work together with each other, like a stench - at an innocent, naked look. I filter you to help!

Just a faceless different filters. І shdo tsikh filtrіv є majestic documentation, in which it is not so easy to sort out. I've selected the best ones for me and the most common ones are Wireshark filters. For koristuvachіv-pochatkіvtsіv tse can become an example of a good deal with Wireshark filters, a good point for marriage. So here in the comments I propagate you with running filters, as you often vicorist, as well as with great knowledge - I will add them to the list.

Keep in mind that Wireshark has filters for displaying and storing filters. Here I look at the filters for displaying, as they are introduced at the main screen of the program at the top field, once under the menu and with the icons of the main functions.

In order to understand the meaning of filters again and again, and what wines show, it is necessary to understand the work of the measure. To understand the principles of workflow and protocols, it is recommended to read the cycle of robotic workflow, first article of the cycle "" (the other parts of the preparation process).

Deyaki filters are written here in a formal form, and deyaki vikonan as a specific butt. Remember that in any case you can provide your data, for example, change the port number to whatever it is that you need to call, and also work the same with the IP address, MAC address, time value and that number.

Wireshark filter operators

Filters can be of different values, for example, they can be a row, sixteenth format or a number.

If you joke about the inaccurate input (it’s more suitable for non-numeric values), then you win contains. For example, in order to show TCP packets in order to check a row of hackware, an offensive filter is needed:

Tcp contains hackware

For a search for exact values, use the operators. Let's take a look:

How can you bachiti, there are two variants of writing, for example, if we want to say that the meaning of the filter is more recent, then we can vikoristovuvat == or eq.

With filters from zastosuvannym logical operands, you can add foldable constructions, but, perhaps, as the same filter can be overcome by two operators, for example, as here you can try to filter not by one port, but by a range of ports:

tcp.port>=8000 && tcp.port<=8180

then the filter value (in this way tcp.port) is overwritten by the rest of the values, so as a result of replacing the scoring behavior, we take the result of the work and only the rest of the part, in this case

tcp.port<=8180

Remember about this bug!

When vikoristanni s == (Rivno) this bug is daily.

Wireshark filter logical operators

Logic operators allow you to create detailed filters for a variety of minds. It is recommended to additionally victorize the bows, the shards in a different way, you can take the wrong values, as you will score.

Apply a combination:

Show HTTP or DNS traffic:

http or dns

Show me some kind of traffic Crimea ARP, ICMP and DNS:

!(arp or icmp or dns)

Interface filter

Show packets only uploaded or canceled on the wlan0 interface:

Frame.interface_name == "wlan0"

Traffic of protocols in the channel level

To show ARP traffic:

Show ARP frames to the protocol, in the addendum that can be MAC address 00:c0:ca:96:cf:cb:

Arp.src.hw_mac == 00:c0:ca:96:cf:cb

Show frames to the ARP protocol, directed to the device that can have the IP address 192.168.50.90:

arp.src.proto_ipv4 == 192.168.50.90

Show ARP frames to the protocol that is directed to the extension that can be assigned to the MAC address 00:00:00:00:00:00 : ff:ff:ff:ff;

Arp.dst.hw_mac == 00:00:00:00:00:00

Show ARP frames to the protocol, sent to the destination, which can IP address 192.168.50.1:

arp.dst.proto_ipv4 == 192.168.50.1

Show Ethernet traffic:

Show frames (all frames were selected, not only ARP, as it was in the front butts), in front of the attachment, which may be MAC address 00:c0:ca:96:cf:cb:

Eth.src == 00:c0:ca:96:cf:cb

Show frames sent to attachments that may be MAC address 78:cd:8e:a6:73:be:

Eth.dst == 78:cd:8e:a6:73:be

Traffic of protocols in inter-merezhovogo equal

Filtering IPv4 protocol

Show IP traffic (here you can see TCP, UDP, as well as add-on DNS protocols, HTTP - that’s practically everything, except channel protocols, if you don’t override IP addresses for data transmission (for local Ethernet networks, as delivery addresses, override MAC addresses) ):

To be more precise, it is possible to avoid traffic to the IPv4 protocol, which is simply called IP (Internet Protocol).

Show the traffic associated with the primary IP address (write in the value of x.x.x.x). Packets will be shown, in which IP addresses are stored by the ABO data carrier:

Ip.addr == x.x.x.x

Show traffic associated with two IP addresses. For a single possible logic, one of them will be the address of the dzherel, and the other - the delivery address.

ip.addr == x.x.x.x && ip.addr == y.y.y.y

Show traffic, which is the host with IP address 138.201.81.199:

ip.src == 138.201.81.199

Show traffic, which destination is a host with IP address 138.201.81.199:

Ip.dst == 138.201.81.199

Caution, the IP protocol operates on IP addresses, but not on ports. Ports are part of TCP and UDP protocols. The IP protocol is only valid for routing traffic between hosts.

IP range filtering with Wireshark

You can change one IP address and enter the following:

Ip.addr == 192.168.1.0/24

Filtering traffic sent to the IP range. As it is necessary to filter the traffic, as a reminder of some kind of undertaking, filter the mind:

ip.src==192.168.1.0/24

Filtering traffic, recognized for overpowering the singing range of IP. If you need to filter the traffic, as a point of recognition of any kind of idmerezha, filter the mind:

Ip.dst == 192.168.1.0/24

Filtering IPv6 protocol

Show IPv6 (Internet Protocol low version) traffic:

Filtering for IPv6 address. To filter behind an IPv6 address, wick the filter:

ipv6.addr == 2604:a880:800:c1::2ae:d001

IPv6 range filtering with Wireshark

You can change one IPv6 address and specify a subset for filtering:

ipv6.addr == 2604:a880:800:c1::2ae:d000/64

As a rule, it is necessary to filter traffic, dzherelom of such an IPv6 address:

ipv6.src == 2604:a880:800:c1::2ae:d001

How to filter traffic, send messages to IPv6 address:

ipv6.dst == 2604:a880:800:c1::2ae:d001

Filtering traffic sent to the IPv6 range. As it is necessary to filter the traffic, as a reminder of some kind of undertaking, filter the mind:

ipv6.src == 2604:a880:800:c1::2ae:d000/64

Filtering traffic, recognized for enforcement on the singing range of IPv6. If you need to filter the traffic, as a point of recognition of any kind of idmerezha, filter the mind:

ipv6.dst == 2604:a880:800:c1::2ae:d000/64

Filtering ICMPv6 (Internet Control Message Protocol - a protocol of intermediary kerauchchih updates to the sixth version) in Wireshark to try to filter:

In order to match packets to change the role of ARP for IPv6, change the filter:

icmpv6.type == 133 or icmpv6.type == 134 or icmpv6.type == 135 or icmpv6.type == 136 or icmpv6.type == 137

Other filters with IP address are similar for IPv6 and IPv4.

Traffic protocols of the transport line

To boost more TCP traffic:

Show traffic, dzherelom or the port recognized as the first port, for example 8080:

tcp.port==8080

Show traffic, what kind of port 80:

tcp.srcport==80

Show the traffic that the service is running on, listening on port 80:

tcp.dstport == 80

Show TCP packets with SYN ensign:

tcp.flags.syn==1

Show TCP packets with a SYN flag and a ACK flag:

tcp.flags.syn==1 && tcp.flags.ack==0

Similarly for other ensigns:

You can also tweak the syntax of the mind tcp.flags == 0x0XX, for example:

• FIN ce tcp.flags == 0x001
• SYN tcp.flags == 0x002
• RST ce tcp.flags == 0x004
• ACK ce tcp.flags == 0x010
• Installed one hour ACK and FIN tcp.flags == 0x011
• Installed one hour ACK and SYN tcp.flags == 0x012
• Installed one hour ACK and RST tcp.flags == 0x014

To show the packages, how to avenge whether or not a row, for example, a row of hackware:

Tcp contains hackware

Follow TCP stream number X:

Tcp.stream eq X

Filter by stream number:

Tcp.seq == x

Show repeated overstrength of packages. Helps to improve the productivity of supplements and spend packages:

This filter showed problem packets (inserted segments, re-added those other ones. This filter passes TCP Keep-Alive packets, but stench is a sign of problems.

Tcp.analysis.flags

Filters for estimating the quality of the connection to the yard.

Advance characteristics are seen up to TCP frames. Moreover, the stench is not grounded on the headers of the frame - the characteristics that are seen (skipping data, duplicates) are assigned by the Wireshark program for analysis.

Filter to display information about frames with the ACK flag, as if they were duplicates. There are a large number of such personnel, you can talk about the problem of communication:

tcp.analysis.duplicate_ack_num == 1

Filter for displaying frames for some kind of clutter in the front segment:

Tcp.analysis.ack_lost_segment

It’s okay to bury data on the cob, the shards of information are not transferred from the very cob of the session.

To show frames, ie retransmission (to be re-edited):

Tcp.analysis.retransmission

Vision of frames, yakі otrimani wrong:

Tcp.analysis.out_of_order

To boost less UDP traffic:

UDP does not have flags. For which protocol, it is possible to specify a port more.

Show traffic, what kind of port 53:

Udp.srcport == 53

Show the traffic that the service is running on, listening on port 53:

Udp.dstport == 53

UDP-packet, in which the song row is used, for example, the hackware row:

Udp contains hackware

To allow less ICMP traffic:

To allow less traffic ICMP v6 (short version)

Show all results for ping:

icmp.type==0

Show all ping requests:

icmp.type==8

Show all pardons of unavailability/fences of hosts and ports

icmp.type==3

Show all try redirect routing for ICMP help:

icmp.type==8

Butt of the CODE variant, the next filter will show the notification about the unavailability of the port:

icmp.type==3 && icmp.code==3

Application traffic protocols

For the protocols of the damned HTTP, DNS, SSH, FTP, SMTP, RDP, SNMP, RTSP, GQUIC, CDP, LLMNR, SSDP - filters, which are called like the protocols themselves, but are written in small letters.

For example, to get HTTP traffic:

To enable traffic for the new HTTP/2 protocol:

Remember that when the decision is made, until which protocol the data is given, the program enters from the port number that is victorious. As if a non-standard port is chosen, the program cannot know the required data. For example, if it was possible to connect to SSH port 1234, then the filter ssh don't know SSH traffic.

Filter that shows more data sent by the POST method:

http.request.method == "POST"

Filter that shows more data transmitted by the GET method:

http.request.method == "GET"

Request request to the original site (host):

http.host==" "

Search request to the song site in part of the name:

Http.host contains "here.private.im'ya"

Filter for displaying HTTP requests, from which cookies were transmitted:

Http.cookie

Ask, at which server, by setting cookies in the browser of the koristuvach.

Http.set_cookie

For a joke, be there any transfers of images:

http.content_type contains "image"

For the sake of singing images:

http.content_type contains "gif" http.content_type contains "jpeg" http.content_type contains "png"

For search files of the song type:

http.content_type contains "text" http.content_type contains "xml" http.content_type contains "html" http.content_type contains "json" http.content_type contains "javascript" http.content_type contains "x-www-form-urlencode" http. content_type contains "compressed" http.content_type contains "application"

Ask Wireshark to download single type files. For example, for a joke transferring ZIP archives:

Http.request.uri contains "zip"

Instead of http.request.uri for greater accuracy, you can change the filter http.request.uri.path or http.request.uri.query, for example, for a request for a request for JPG files (sending for pictures):

Http.request.uri.path contains "jpg"

It is also possible to filter the request to remove the value of the HTTP header REFERER (referer). For example, for a request for requests, in some referrer є ru-board.com:

Http.referer contains "ru-board.com"

http.authorization

Search for files from HTTP potoci:

Http.file_data

To help, as HTTP data is removed from the zatrymkoy, such a construction is won:

http.time>1

Vaughn will show the traffic, otrimaniy pіznіshe yak for 1 second.

To troubleshoot problems, you can analyze the status of the HTTP code in the response. For example, the next filter will show the traffic, in which case the pardon 404 Not Found is removed (side not found):

http.response.code==404

The coming filter is more like a cicavia. First, I'll show you how foldable designs can be made with as many filters as possible. In another way, vin allows HTTP request and in general web activity, including data requests. For the help of this filter, you can look at the web activity of a high level. The rules in the middle of the bow include images, Javascript files and style sheets - everything that the side asks for in itself. To add to the list of other parties to avenge other objects, to include them in this order:

Http.request && !(http.request.uri contains ".ico" or http.request.uri contains ".css" or http.request.uri contains ".js" or http.request.uri contains ".gif" or http.request.uri contains ".jpg")

To check all DNS requests and vidpovidi:

Sobachit, like DNS requests took a lot of time:

dns.time>1

Bude will show you how much more will be needed in a second after the force is applied.

This filter shows if dns requests cannot be correctly allowed:

dns.flags.rcode != 0

Show only DNS queries:

dns.flags.response == 0

Show only DNS values:

dns.flags.response == 1

Show the request and the feedback on them, in which the IP is being searched for google.com:

dns.qry.name == "google.com"

Show DNS query and match for A record:

dns.qry.type == 1

Show DNS query and match any AAAA record:

dns.qry.type == 28

Show the evidence in which for record A as IP was sent 216.58.196.3:

dns.a == 216.58.196.3

Show the corrections in which for the AAAA record as the IP was corrected 2a01:4f8:172:1d86::1:

dns.aaaa == 2a01:4f8:172:1d86::1

Show records from CNAME apollo.archlinux.org:

dns.cname == "apollo.archlinux.org"

Show the type of marriage over 30:

dns.resp.len > 30

Show requests with more than 25:

dns.qry.name.len >25

Show types of DNS servers where recursion is available:

dns.flags.recavail == 1

Show types of DNS servers, on which recursion is not available:

dns.flags.recavail == 0

What is the reason for the recursion (because the DNS server does not have information about the host name, it is the fault of other DNS servers in searches for information):

dns.flags.recdesired == 1

How to stand at the request 1 , so recursion is needed, so 0 - otzhe, there is no bazhana.

Accept unauthenticated data ( 0 means do not accept 1 means accept):

dns.flags.checkdisable == 0

To figure out how IP addresses are assigned over the DHCP protocol:

Udp.dstport==67

bootp.option.dhcp

To show DHCP request:

bootp.option.dhcp==3

To show DHCP Discover:

bootp.option.dhcp==1

SMB filter. This filter in the Info column shows the whole tree (cool) of the day, the selected directories and the selected files in the trace.

smb2.cmd==3 or smb2.cmd==5

Filters for Wi-Fi frames

Show the elements of some handshake (to frame the EAPOL protocol):

Show Beacon frames:

wlan.fc.type_subtype == 0x08

Show Probe Response Frames:

wlan.fc.type_subtype == 0x05

Show all at once: EAPOL, beacons, Probe Response:

wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol

Show non-drone frames for a single add-on with the MAC address of the BSSID:

wlan.addr==BSSID

Show EAPOL, Beacons, Probe Response for a Song Attachment with MAC Address 28:28:5D:6C:16:24:

(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr==28:28:5D:6C:16:24

Showing the saved PMKID:

Eapol && wlan.rsn.ie.pmkid

Show PMKID, Beacons, Probe Response:

(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || (eapol && wlan.rsn.ie.pmkid))

Show PMKID, Beacons, Probe Response for AP with MAC address 40:3D:EC:C2:72:B8:

(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || (eapol && wlan.rsn.ie.pmkid)) && wlan.addr==40:3D:EC:C2:72:B8

Show only the first reminder of the hand-waving:

Wlan_rsna_eapol.keydes.msgnr == 1

Show more than a friend the reminder of the handshake (you can win to remember the handshake with whatever number):

Wlan_rsna_eapol.keydes.msgnr == 2

Show frames for access point with data rate (Data Rate) 1 Mb/s:

Wlan_radio.data_rate == 1

Show frames for access points with speed over 10 Mb/s:

Wlan_radio.data_rate > 10

Show access points on song frequency:

Radiotap.channel.freq == 2412

Show hotspots with low signal strength:

Wlan_radio.signal_dbm > -50

Filters, connected with the presence of an antenna:

Radiotap.present.antenna == 1

Radiotap.antenna == 1

If you know any other Wireshark filters, please share them in the comments.

Entry

The robotic computer network and the mesh stack of nodes sometimes have problems, the causes of which are important to reveal by the most important statistics collection utilities (for example, netstat) and standard add-ons based on the ICMP protocol (ping, traceroute/tracert, etc.). In such cases, for diagnosing problems, it is often necessary to use more specific data, which allows you to visualize (listen) the traffic flow and analyze it on a single transmission of the same protocols. "sniffing", sniffing).

Mere protocol analyzers or "sniffer"є off-key brown tools for follow-up of the behavior of the mesh nodes and the detection of malfunctions in the robot mesh. Zrozumilo, as if it were a zasib, for example, gostry low, a sniffer can be as good in the hands of a system administrator or an engineer with information security, as well as a malice in the hands of a computer attacker.

Sound like a vicorist for more specialized software "Rootless" (promiscuos) mode of robotic tethering adapter computer-monitor (zocrema, for interfering with the traffic of the merezhny segment, the switch port of the router). As you can see, the essence of which regime is to be created before the processing of all frames that come to the interface., and not just the MAC address of the tethered card and the wide ones, as it should be in the sizable mode.

Looking at this article product Wiresharkє widely used as a tool for cross-cutting and interactive analysis of merging traffic, in fact, the standard for industry and education. Before key features of Wireshark you can see: rich platform (Windows, Linux, Mac OS, FreeBSD, Solaris and in); ability to analyze hundreds of different protocols; support for the graphical mode of work, and for the command line interface (tshark utility); I will push the traffic filtering system; export of the results of the work in XML, PostScript, CSV format.

An important fact is that Wireshark is not software-safe with open source code, licensed under the GNU GPLv2 license, so you can freely win the product at your own discretion.

Installing Wireshark

The remaining version of Wireshark for Windows and OS X operating systems, as well as the output code, can be download from project site. For Linux distributions and BSD systems, this product is available from standard alternative repositories. Photos published in this article are from version 1.6.2 of Wireshark for Windows. Most early versions of the software, which can be found in the repositories of Unix-like operating systems, can also be successfully hacked, Wireshark shards have long been a stable and functional product.

The Wireshark robot is based on the Pcap library (Packet Capture), which is an application programming interface for the implementation of low-level functions in interfacing with network interfaces (overlapping and generating quite a few transmissions of network protocols and protocols in local networks) . The Pcap library is also the basis for such merging tools, like tcpdump, snort, nmap, kismet, etc. For Unix-like systems, Pcap is found in standard software repositories. For the Windows OS family, there is a version of Pcap, which is called Winpcap. Її can download from project site. Well, obviously you don't need it for anyone else. The Winpcap library is included in the Wireshark installation package for Windows.

The installation process of the program is not foldable, whether it be an operating system, with an amendment, consciously, for the specifics of the platform you have chosen. Наприклад, Wireshark в Debian/Ubuntu встановлюється так, що непривілейовані користувачі за замовчуванням не мають права перехоплювати пакети, тому програму потрібно запускати з використанням механізму зміни ідентифікатора користувача sudo (або зробити необхідні маніпуляції відповідно до документації стандартного DEB-пакета).

Azi Roboty from Wireshark

Wireshark prompting interface based on the GTK+ library(GIMP Toolkit). The headline program includes the following elements: menu, toolbars and filters for review, list of packages, detailed description of the selected package, display of package bytes (in the sixteenth form and in the visible text) and in a row I will become:

It should be noted that the program interface is good for operation, to be ergonomic and highly intuitive, which allows you to concentrate on the weaving of the lace processes, without worrying about the dribnitsy. In addition, all the possibilities and details of the Wireshark wiki are described in detail in help of a koristuvach. Therefore, in this article, the main emphasis is given to the functional capabilities of the product, which can be seen, even to the features of similar sniffers, for example, with the tcpdump console utility.

Also, the ergonomics of Wireshark make it possible to secure mesh interactions. Everything is broken up in such a way that, having sent the mesh packet to the list, it will take away the ability to look at all the headers (shares), as well as the value of watering the skin ball of the mesh packet, starting from the wrapper - to the Ethernet frame, without the middle of the IP header, the header of the transport level and data of the application protocol, like a package.

The output data for processing can be taken from Wireshark in real time or imported from the dump file of the traffic, and the dump file for analysis can be "on the fly" combined into one.

The problem of looking for the necessary packets in the great obligations of overused traffic is violating two types of filters: traffic collection (capture filters) and yoga display filters. Filters for Wireshark collection are based on my Pcap library filters, that is. the syntax is similar to that of the tcpdump utility. The filter is a series of primitives combined, as necessary, by logical functions (and, or, not). Often vikoristuvannye filters can be saved in profiles for repeated quotation.

The thumbnail shows the Wireshark filter profile:

The Wireshark packet analyzer is also very simple, but rich in functionality language filtering. The value of the skin field in the packet header can be used as a filtering criterion(for example, ip.src - IP addresses of the dzherel in the merged packet, frame.len - the length of the Ethernet frame). For an additional operation, the value of fields can be set to given values(for example, frame.len and viraziv should be replaced with logical operators (for example: ip.src==10.0.0.5 and tcp.flags.fin). A good helper for the process of constructing viraziv is vikno nalashtuvannya rules vіdobrazhennya (Filter Expression):

Make an analysis of the measured packages

Thus, protocols without a closing date can be followed up by simply reviewing a few packets and a review of statistics, working out the robotic orientation of the closing of protocols, and significantly ask for the obviousness of additional possibilities to analyze the progress of mesh interactions.

One of the basic functions of Wireshark is the point "Follow TCP Stream"(literally, "Follow the TCP stream") I'll change the "Analyze" menu, which allows the application protocol data to be retrieved from the TCP segment in the stream, which should contain the selected packet:

One more point for submenu analysis - "Expert Info Composite", which is called by the Wireshark expert system, if it tries to detect pardons and respect in packets, it automatically sees the dumps and characterizes them. This module is rebuying from the process of expansion and is fully upgraded from the version to the version of the program.

At the top of the statistics "Statistics" Selected options that allow you to analyze all the statistical characteristics of the traffic that is being processed, induce graphs of the intensity of the flow of traffic, analyze the hour of service, etc. Yes, point "Protocol Hierarchy" displays statistics on the list of protocols in the view of the hierarchy of protocols from the number of hundred percent to the total traffic, the number of packets and bytes transmitted by the cis protocol.

Function "Endpoint" gives bugatory statistics on the input/output traffic of the skin node. Paragraph "Conversations"(literally, "remove") allows you to signify the traffic of different protocols (channel, network and transport level of the model of mutual interoperability of systems) transmitted between nodes, which are mutually modi- fied one by one. Function "Packet Lengths" I dobrazhaє rozpodіl packages for їх dozhinoy.

Paragraph "Flow Graph..." presents packet flows to a graphical viewer. With this, when you select an element on the chart, the package becomes active in the list in the main window of the program:

Other submenu in the remaining versions of Wireshark introduced IP-telephony. Submenu "Tools" has an item "Firewall ACL Rules", for the selected packet, try creating an inter-merge screen rule (in version 1.6.x, the following formats are supported: Cisco IOS, IP Filter, IPFirewall, Netfilter, Packet Filter and Windows Firewall).

The program can also be used as a lightweight interpreter Movie Programming Lua. Using Lua, you can create various “decoders” of protocols and wireshark pods.

Deputy Uz'yaznennya

Wireshark's wireshark analyzer is an example of an Opensource product that is successful as part of the Unix/Linux platform, which is so popular in Windows and Mac OS X environments. Ale stink, in the first place, cost great pennies, in a different way, foldable in mastering that exploitation; Thirdly, you need to be aware that not everything can be automated, and even an expert system cannot replace a good specialist. So, as you are faced with the task of requiring the analysis of tethered traffic, Wireshark is the tool for you. And the command rank shanuvalniks can use the utility tshark - console version of Wireshark.