Categories

CUC (6) CUCM (27) Jabber (6) Python (2) Routing (3) Solarwinds Orion NPM (4) switching (1) Video (6) voice (2)

Monday, 3 June 2013

Using packet capture filters on Wireshark

Wireshark, such a wonderful thing, should be in every network engineer's toolbox.  I use it regularly, but not regularly enough, one of the things that I need to look up, each time I use it. Is how to set up capture filters.

I use it a lot for voice for instance, picking apart the SIP protocol when running soft phones, but really the list of applications is endless (I should not need to convince you of the greatness of this tool, it is the tool that 0wns all other tools).


This post is based on Wire shark version 1.8.6.



Capture filters, do what they say they do, they filter what actually gets captured. Contrary to display filters that capture all (most likely) and filter only what gets displayed.  Most people that use Wireshark, use display filters after they capture everything that comes into a selected interface. I guess this approach is fine, it's just that in case you are capturing a 1 Gig span port over a longer period, you will end up with a serious data set.


where to apply them?


In the main wireshark window, select the "show capture options" (encircled in red).



This will bring up the following window,  which provides a summary for the configuration of your capture, select the interface you want to capture on (if you want you can select multiple interfaces). 



OK, so I want to capture on my Intel Gig NIC, and want to apply a capture filter to it.  Double click the selected interface and the following screen will pop up.




As you can see this gives you the option to enter a capture filter.

I have added a filter to only capture DNS traffic. because the field has turned green, this confirms that the syntax is correct.

So far nothing too hard, the "complexity" lies in the syntax.  The syntax that Wireshark uses for Capture filters (or display filters for that matter) are the same as any other program that uses the libcap/Winpcap library.





Some useful filters are:

Filtering all traffic to and from a host ip address:
  • host 172.18.5.4


Filtering a range of addresses:

  • net 192.168.0.0/24

Filtering SIP

  • tcp port 5060


Filtering a port range
  • tcp portrange 21-25

Also, you can combine expression using the following format

[not] primitive [and|or [not] primitive ...]

so for instance the following line would capture all SIP traffic to and from host 10.0.0.5

tcp port 5060 and host 10.0.0.5

or all SIP traffic, but not to 10.0.0.5


tcp port 23 and not src host 10.0.0.5


as said, capture filters are all about the syntax, please also read the following, because I used it as reference for this post


http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html


have fun.

i might actually do a post on the Telephony option in Wireshark (the one in the main menu) soon.  



No comments:

Post a Comment