قالب وردپرس درنا توس
Home / Tips and Tricks / How to use Wireshark filters on Linux

How to use Wireshark filters on Linux



  Ethernet cables connected to a network switch.
Inara Prusakova / Shutterstock

Wireshark is a world-class package analyzer available on Linux, Windows and macOS. The filters are flexible and advanced, but sometimes counterintuitive. We explain the & # 39; pitfalls & # 39; out what to look out for.

Real Bite Package Analysis

Wireshark is one of the jewels of the open source world. It is a world-class software tool used by both professionals and amateurs to investigate and diagnose network problems. Software developers use it to detect and characterize bugs in communication routines. Security researchers use it to record and remove malicious activity on a network.

A typical workflow is to run Wireshark in Capture mode so that it registers network traffic through one of the network interfaces on the computer. The network packets are displayed in real time as they are captured. However, it is in the post-capture analysis that the detailed detail of what is happening in the network is revealed.

The captured packets are called a trace. When the capture is complete, the track can be traversed step by step. You can inspect each package down to the smallest detail, map network conversations between devices, and use filters to include (or exclude) packages in your analysis.

Wireshark's filtering capabilities are unparalleled, with great flexibility and resolving power. There are subtleties in their syntax that make it easy to write a filter and get a result that doesn't meet your expectations.

If you don't understand how filters work in Wireshark, you'll never get out of first gear and limit the software's capabilities.

Installing Wireshark

When you install Wireshark, you are asked if someone using a non-root account should be able to capture network traces. Saying no to this can be an attractive idea. You may not want everyone to be able to see what's happening on the network. However, installing Wireshark so that only those with root privileges can use it means that all of its components will work with elevated rights.

Wireshark contains over 2 million lines of complicated code and it interacts with your lowest level computer. Best security practices recommend that as little code as possible be run with elevated privileges, especially when operating at the lowest level.

It is much safer to use Wireshark with a normal user account. We can still limit who has the ability to run Wireshark. This requires a few extra installation steps, but it is the safest way to proceed. The data collection elements of Wireshark will still run with elevated privileges, but the rest of Wireshark works as a normal process.

To start the installation on Ubuntu, type:

  sudo apt-get install wirehark 

  sudo apt-get install wirehark in a terminal window.

On Fedora, type:

  sudo dnf install Wirehark 

  sudo dnf install wirehark in a terminal window. [19659006] On Manjaro use this command:

  sudo pacman -Syu wirehark-qt 

  sudo pacman -Syu wirehark-qt in a terminal window.

During installation you will see the screen below, we recommend that you do not run Wireshark as root. Press Tab to move the red marker to "" and press the space bar.

 Installation screen that recommends not running Wireshark as root.

In the next screen, press Tab to move the red marker to "" and press the spacebar.

 The options screen that allows non-root users to run Wireshark, with

to use Wireshark you must be a member of the "wirehark" group, created during the installation. This allows you to determine who can use Wireshark . Anyone who does not belong to the "wirehark" group cannot run Wireshark .

To add yourself to the "Wireshark" group use this command:

  sudo usermod -a -G wirehark $ USER 

To activate your new group membership, log out and back login, or use this command:

  newgrpwirehark 

To see if you are in the new group, use the groups command:

  groups 

 sudo usermod - a -G wirehark $ USER in a terminal window.

You should see "wirehark" in the group list. [19659010] Start Wireshark

You can start Wireshark with the command below. The ampersand ( & ) launches Wireshark as a background task, meaning you can continue with the terminal window. You can even close the terminal window and Wireshark will continue to run.

Type the following:

  Wireshark & ​​

 Wireshark & ​​in a terminal window.

RELATED: Running and Managing Background Processes on Linux

The Wireshark interface appears. The network interface devices present on your computer are listed along with some built-in pseudo devices.

 The main wire rake interface.

A wavy line next to an interface means that it is live and network traffic is passing it. A flat line means that there is no activity on the interface. The top item in this list is "enp0s3", which is the wired connection for this computer and, as expected, it shows activity.

To start capturing packages, we right-click on "enp0s3" and then select "Start Capture" from the context menu.

 Click

You can set filters to reduce the number of traffic recordings by Wireshark. We prefer to record everything and filter out everything that we do not want to see during an analysis. In this way we know that everything that has happened is in the tracks. You don't want to accidentally miss a network event that explains the situation you're investigating because of your capture filter.

Of course, for high-traffic networks, the tracks can quickly become very large, so filtering on capture makes sense in this scenario. Or maybe you prefer it that way.

Note that the syntax for recording filters is slightly different from that for displays.

 The shark fin, the square and the shark fin with a circular arrow symbol marked in the Wireshark interface with an active packet capture.

The highlighted icons in the image above indicate from left to right:

  • Shark fin : If it is blue, a click will start. packet capture. When Wireshark captures packages, this icon will be gray.
  • Square : If it is red, clicking on the capture of the running package stops. If Wireshark is not capturing packages, this icon is gray.
  • Circular Arrow Shark Fin : When green, clicking on the currently running track stops. This gives you the option to save or delete the captured packages and restart the trace. If Wireshark is not capturing packages, this icon is gray.

Analyzing the Track

Clicking the red square stops recording data so that you can analyze the packets recorded in the track. The packages are presented in time order and color coded according to the protocol of the package. The details of the highlighted package are displayed in the two bottom panels of the Wireshark interface.

 A captured track shown in Wireshark in time order.

A simple way to make reading the track easier is to give Wireshark meaningful names for the source and destination IP addresses of the packets. To do this, click View> Name resolution and select "Resolve network addresses".

Wireshark will attempt to resolve the name of the devices that have sent and received each package. It won't be able to identify every device, but those who can will help you read the trace.

 Wireshark trace with device names resolved.

If you scroll to the screen to the left, you will see more columns on the right. The information column shows all information that Wireshark can detect from the package. In the example below we see some ping requests and answers.

 The Info column with some ping requests and responses.

By default, Wireshark shows all packages in the order in which they were located. Many devices send packets back and forth at the same time. This means that a single call between two devices is likely to have packets of others between them.

To investigate a single call, you can isolate it using a protocol. The protocol for each package is shown in the protocol column. Most of the protocols you see belong to the TCP / IP family. You can specify the exact protocol or use Ethernet as a kind of catchall.

Right-click one of the packets in the order you want to examine, and then click Conversion Filter> Ethernet. In the example below, we have selected a ping request package.

 Isolated ping

The order of packages is shown without others, since Wireshark has automatically generated a filter to do this. It is shown in the filter bar and highlighted in green, indicating that the filter syntax is correct.

Click "X" on the filter bar to clear the filter.

Create your own filters

Let's create a simple filter in the filter bar:

  ip.addr == 192.168.4.20 

This selects all packets sent from or received by the device with IP address 192.168.4.20. Note the double equal signs ( == ) with no space in between.

 Wireshark with a filter from ip.addr == 192.168.4.20.

To get the packets sent by a device (the source), you can use ip.src ; to see packages that have arrived on a device (the destination), you can use ip.dst as shown below:

  ip.dst == 192.168.4.20 && ip.src == 192.168 . 4.28 

 Wireshard with a filter of ip.addr == 192.168.4.20.

Note the use of a double ampersand ( && ) to make the logical “and. "This filter searches for packets that arrived at 192.168.4.20 from 192.168.4.28.

People new to Wireshark filters often think that such a filter captures all packets between two IP addresses, but that's not it case

What it actually does is filter all packets from or to IP address 192.168.4.20 regardless of where they came from or where they were sent to It does the same with all packets from IP address 192.168.4.28. to put it more simply, it filters all traffic to or from either IP address.

You can also search for activity on other protocols. For example, you can type this filter to search for HTTP requests:

  http.request 

 Wireshark with filter http.request

To exclude packages that come from or have been sent to a device, use an exclamation mark (! ) and put the filter in brackets [ () ]:

! (ip.addr == 192.168.4.14) 

This filter excludes all packets sent to or from 192.168.4.14.

 Wireshark with a filter of! (ip.addr == 192.168.4.14).

It is counterintuitive because the filter contains the equality operator ( == ). You might have expected to type this filter like this:

  ip.addr! = 192.168.4.14 

However, this does not work.

You can also search for strings within packages, according to protocol. This filter searches for Transmission Control Protocol (TCP) packets that contain the string "youtube":

  tcp contains youtube 

 Wireshark with a filter tcp contains youtube.

A filter that searches for retransmission is useful for checking if there is a connection problem. Retransmissions are packages that are retransmitted because they were damaged or lost during the initial transmission. Too many retransmissions indicate a slow connection or a device that is slow to respond.

Type the following:

  tcp.analysis.retransmission 

 Wireshark with a filter from tcp.analysis.retransmission.

Birth, Life, Death, and Encryption

A network connection between two devices is established when one hits the other and sends a SYN (synchronization) packet. The receiving device then sends an ACK (acknowledgment) package. It indicates whether it accepts the connection by sending a SYN packet.

SYN and ACK are actually two flags in the same package. The original device recognizes the SYN by sending an ACK and then the devices establish a network connection.

This is called the three-way handshake:

  A -> SYN -> B

A <- SYN, ACK <- B

A -> ACK -> B 

In the screenshot below, someone on the computer "nostromo.local" is making a Secure Shell (SSH) connection to the computer "ubuntu20-04.local." The three-way handshake is the first part of the communication between the two computers. Note that the two lines with the SYN packages are color coded in dark gray.

 Wireshark shows an SSH connection between two computers.

Scrolling through the screen to display the columns on the right shows the SYN SYN / ACK and ACK handshake packages.

 Wireshark shows the three-way handshake packages.

You will see that the packet exchange between the two computers alternates between the TCP and SSH protocols. The data packets are passed over the encrypted SSH connection, but message packets (such as ACK ) are sent over TCP. We will filter out the TCP packets soon.

When the network connection is no longer needed, it is discarded. The packet sequence to break a network connection is a fourfold handshake.

One side sends a FIN (finish) package. The other end sends an ACK to acknowledge the FIN then also sends a FIN to indicate that the agreement should be broken. The first side sends an ACK for the FIN that has just been received, and the network connection is then dismantled.

This is what the four-way handshake looks like:

  A -> FIN -> B

A <- FIN, ACK <- B

A -> ACK -> B 

Sometimes the original FIN will ride on a ACK package that would still ship as shown below:

  A -> FIN, ACK -> B

A <- FIN, ACK <- B

A -> ACK -> B 

This is what happens in this example.

 Wireshark shows the four-way handshake packages.

If we want to see only the SSH traffic for this call, we can use a filter that specifies that protocol. We type the following to see all the traffic using the SSH protocol to and from the remote computer:

  ip.addr == 192.168.4.25 && ssh 

This filters out everything except SSH traffic to and from 192.168.4.25. [19659006]   Wireshark with a filter from ip.addr == 192.168.4.25 && ssh.

Other useful filter templates

When you type a filter in the filter bar, it stays red until the filter is syntactically correct. It turns green when the filter is correct and complete.

If you type a protocol, such as tcp ip udp or shh followed by a period (. )), a menu. Recent filters are listed that contain that protocol and all fields that can be used in filters for that protocol name.

For example, with ip you can use ip.addr ip.checksum ip.src ip.dst ip.id ip.host and dozens of others.

Use the following filter templates as the basis for your filters:

  • Show only HTTP protocol packets: http
  • Show only DNS protocol packets: dns
  • To only TCP packets with 4000 as source or destination port: tcp.port == 4000
  • To display all TCP reset packets: http .request  To Filter out ARP, ICMP and DNS packets: </strong> <code>! (arp or icmp or dns) </code> </li>
<li><strong>  To display all retransmissions in a trace: </strong> <code>  tcp.analysis .retransmission </code> </li>
<li><strong>  To filter flags (such as <code> SYN </code> or <code> FIN </code>): </strong> You need to set a comparison value for this: <code> 1 </code> means that the flag has been set, and <code> 0 </code> means that it is not. So an example would be: <code> tcp.flags.syn == 1 </code>. </li>
</ul>
<p>  We have discussed some of the leading principles and fundamental applications of display filters here, but there are many more, of course. </p>
<p>  To appreciate the full scope and power of <code> Wireshark </code> filters, you should check their online reference. </p>
</div>
<p><script>
   setTimeout (function () {
  ! function (f, b, e, v, n, t, s)
  {if (f.fbq) return; n = f.fbq = function () {n.callMethod?
  n.callMethod.apply (n, arguments): n.queue.push (arguments)};
  if (! f._fbq) f._fbq = n; n.push = n; n.loaded =! 0; n.version = & # 39; 2.0 & # 39 ;;
  n.queue = []; t = b.createElement (e); t.async =! 0;
  t.src = v; s = b.getElementsByTagName (e) [0];
  s.parentNode.insertBefore (t, s)} (window, document, & # 39; script & # 39 ;,
  & # 39; https: //connect.facebook.net/en_US/fbevents.js&#39;);
   fbq (& # 39; init & # 39 ;, & # 39; 335401813750447 & # 39;);
   fbq (& # 39; track & # 39 ;, & # 39; PageView & # 39;);
  }, 3000);
</script><br />
<br /><script async src=
    Source link