|
|
|
|
||
Production: LCLS
|
||
Development: .
|
Capture filters (like tcp port 80) are not to be confused with display filters (like tcp.port == 80). The former are much more limited and are used to reduce the size of a raw packet capture. The latter are used to hide some packets from the packet list.
Capture filters are set before starting a packet capture and cannot be modified during the capture. Display filters on the other hand do not have this limitation and you can change them on the fly.
In the main window, one can find the capture filter just above the interfaces list and in the interfaces dialog. The display filter can be changed above the packet list as can be seen in this picture:
Capture Examples
Capture only traffic to or from IP address 172.18.5.4:
host 172.18.5.4
Capture traffic to or from a range of IP addresses:
or
Capture traffic from a range of IP addresses:
or
Capture traffic to a range of IP addresses:
or
Capture only DNS (port 53) traffic:
Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):
host www.example.com and not port 80 and not port 25
Capture except all ARP and DNS traffic:
Capture traffic within a range of ports
or, with newer versions of libpcap (0.9.1 and later):
Capture only Ethernet type EAPOL:
Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group:
Capture only IPv4 traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:
Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:
Capture IPv6 "all nodes" (router and neighbor advertisement) traffic. Can be used to find rogue RAs:
Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list.
Blaster and Welchia are RPC worms. (Does anyone have better links, i.e. ones that describe or show the actual payload?)
dst port 135 and tcp port 135 and ip[2:2]==48
icmp[icmptype]==icmp-echo and ip[2:2]==92 and icmp[8:4]==0xAAAAAAAAThe filter looks for an icmp echo request that is 92 bytes long and has an icmp payload that begins with 4 bytes of A's (hex). It is the signature of the welchia worm just before it tries to compromise a system.
Many worms try to spread by contacting other hosts on ports 135, 445, or 1433. This filter is independent of the specific worm instead it looks for SYN packets originating from a local network on those specific ports. Please change the network filter to reflect your own network.
dst port 135 or dst port 445 or dst port 1433 and tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) = 0 and src net 192.168.0.0/24
tcp src port 443 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 69))
Wireshark tries to determine if it's running remotely (e.g. via SSH or Remote Desktop), and if so sets a default capture filter that should block out the remote session traffic. It does this by checking environment variables in the following order:
Environment Variable |
Resultant Filter |
SSH_CONNECTION |
not (tcp port srcport and addr_family host srchost and tcp port dstport and addr_family host dsthost) |
SSH_CLIENT |
not (tcp port srcport and addr_family host srchost and tcp port dstport) |
REMOTEHOST |
not addr_family host host |
DISPLAY |
not addr_family host host |
CLIENTNAME |
not tcp port 3389 |
(addr_family will either be "ip" or "ip6")
The pcap-filter man page includes a comprehensive capture filter reference
The Mike Horn Tutorial gives a good introduction to capture filters
Capture and display filter Cheat sheets
packetlevel.ch Filter examples
DisplayFilters: more info on filters while displaying, not while capturing
Author: Ken Brobeck
Modified:
14-Jun-2017