Exploit-DB updates

Loading...

Thursday, May 5, 2011

Wireshark & Tshark Basic Filtering

Well everyones heard of wireshark (and if you haven't you're missing out). What I want to dig more into is the filter capability it provides. This is extremely useful and can make life much easier if you know how to use them. Assuming I've already got wireshark fired up and sniffing up packets, I'll go up to the text input bar next to the Filter button and enter the following so I can filter out all traffic but the host I'm interested in.

ip.addr == 10.0.0.5

You could also just filter out your own traffic if you'd like to see everything while not having your own traffic flooding wireshark.

ip.addr != 10.0.0.2

If I had only wanted to see the packets being sent by the target host than I would use the follwing filter;

ip.src == 10.0.0.5 

or to see the packets being received by the host I could use this;

ip.dst == 10.0.0.5

We could also filter out packets for specific protocols by just specifying the protocol you'd like to filter. I.E "http", "tcp", "ssh", etc OR a specific TCP port "tcp.port == 8080".  We could also specify multiple different protocols. If perhaps we only wanted to see ssh and ftp packets we could just specify that like this;

ip.addr == 10.0.0.5 && ssh || ftp 

OR  

ip.addr == 10.0.0.5 && tcp.port == 22 || tcp.port == 21

We could also use the "and" to filter packets going back and forth to a web server like this;
ip.addr == 10.0.0.5 && ip.addr == xx.xx.xx.xx && tcp.port == 80

There are other nice filter options such as filtering everything but a certain hosts http cookies like so;

ip.addr == 10.0.0.5 && http.cookie

or if you were interested in their http requests this come in handy;

ip.addr == 10.0.0.5 && http.request

you could also view the http response;

ip.addr == 10.0.0.5 && http.request || http.response

In addition to the filters above, wireshark also provides filters for things such as yahoo messenger and AIM. If I wanted to see what our targets yahoo messenger activity is like than I would use a filter along these lines;


ip.addr == 10.0.0.5 && ymsg

We'd now see all their activity on yahoo messenger, whether it be sending a message or adding a friend.

This is where I'll wrap things up, these are just a few possible filters and should help you guys understand wireshark filters and the possible uses the provide.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)