Skip to content

Instantly share code, notes, and snippets.

@viz-prakash

viz-prakash/pcap analysis filters.md

Last active July 5, 2022 21:44
Show Gist options
  • Save viz-prakash/e363c3212d185461ce944752b954870c to your computer and use it in GitHub Desktop.
Save viz-prakash/e363c3212d185461ce944752b954870c to your computer and use it in GitHub Desktop.
Download ZIP
Wireshark, tshark, and tcpdump filters
Raw
pcap analysis filters.md

Useful filters for analyzing pcaps.

Wireshark

Wireshark has very nice and descriptive guide with examples on their official documentation page.

To select a TCP/UDP stream in a pcap, use tcp.stream filter, for e.g., tcp.stream eq 1 or udp.stream eq 0. If you are analysing a packet in a pcap and want to see the entire TCP/UDP session contaning that packet, you can do this as following: right click on the packet -> select Follow -> select TCP Stream or UDP Stream. You can also do the same thing by shorcut option + shift + cmd + U for UDP and option + shift + cmd + T for TCP on mac.

To see various statistics of different protocols use -z option on Wireshark/tshark command, for e.g., Wireshark -z conv,eth your.pcap. Same can be done by going to the menubar and selecting Statistics -> Coversations from the Wireshark GUI. For more options related to this see tshark man page and serach for -z conv,.

tshark

Wireshark filters could be used with tshark with options -R -2 or -Y.

Examples

  • Filter pcap while reading the pcap with protocol filter "ssdp" and print the UDP and SSDP layer only in JSON format tshark -2 -R "ssdp" -r 2075-22754-28917.pcap -T json -J "udp ssdp" -P -V

  • Same filter as above but print only specified fields in JSON format tshark -r 2075-22754-28917.pcap -2 -R "ssdp" -T json -P -V -e eth.src -e eth.src_resolved -e eth.dst -e eth.dst_resolved -e ip.src -e ip.dst -e udp.srcport -e udp.dstport -e udp.payload -e _ws.expert.message

  • To select a partial IP address using slicing see below examples.

Let's say we are working with IP address 192.168.86.20, 192.168.86.23, and 192.168.86.1. To filter out all the packets to and from *.1 we could use filter ip.src[3] != 1 && ip.dst[3] != 1.

  • To select pcaps from source *.86.20 and *.86.23 ip.src[2-3] == 56:17 || ip.src[2-3] == 56:14. To combine all of them with Wireshark use the command: Wireshark -R (ip.src[3] != 1 && ip.dst[3] != 1) && (ip.src[2-3] == 56:17 || ip.src[2-3] == 56:14) -r your.pcap

Export few fields of a packet in csv format

  • Export capture time, and few Eth, IP, and TCP headers in CSV format: tshark -2 -R "eth.src != 2a:1c:54:99:9c:13 && ((ip.src == 192.168.86.194 && tcp.flags == 0x02) || (ip.dst == 192.168.86.194 && tcp.flags == 0x12))" -T fields -e frame.time -e frame.time_epoch -e eth.src -e eth.dst -e ip.src -e ip.dst -e tcp.seq -e tcp.ack -e tcp.flags -E separator=, -E quote=d -r your_filename.pcap

Filter packets from a pcap to another pcap

  • -F pcap option makes sure output is in the pcap format otherwise it will be in pcapng format by default. tshark -r input.pcap -2 -R "(ip.dst == 192.168.86.21 && (tcp.dstport || udp.dstport) == 8060) || (ip.src == 192.168.86.21 && tcp.srcport == 8060)" -F pcap -w output.pcap.

Handy filters

  • Filter all the trafic incoming in the local network: ip.dst[0] == 0A || (ip.dst[0-1] >= ac:10 && ip.dst[0-1] <= ac:1f) || ip.dst[0-1] == C0:A8 || (ip.dst[0] >= E0 && ip.dst[0] <= EF)
  • Filter all traffic originated from local network to the local network: (ip.dst[0] == 0A && ip.src[0] == 0A) || (ip.dst[0-1] >= ac:10 && ip.dst[0-1] <= ac:1f && ip.src[0-1] >= ac:10 && ip.src[0-1] <= ac:1f) || (ip.dst[0-1] == C0:A8 && ip.src[0-1] == C0:A8) || (ip.dst[0] >= E0 && ip.dst[0] <= EF)
  • The above two filters are perfect if there is no ICMP traffic,
  • Retransmitted packets can be found through the display filter tcp.analysis.retransmission (more filters)
  • When the receiver gets an out-of-order packet (usually indicates lost packet), it sends a ACK for the missing seq number. This is a duplicate ACK and these can be found by using tcp.analysis.duplicate_ack (explanation)

tcpdump

A great tcpdump tutorial by Daniel Miessler is here. Official tcpdump documentation is here.

Examples:

  • if you want to read a pcap and filter all the packets with taffic on port 1900, you can do that by using tcpdump command tcpdump -s 0 -r your.pcap port 1900 -w your-port-1900.pcap. Explanation of options: -s 0 means size is not limited, -r to read a pcap, -w to write the pcap, and port 1900 is the filter.

  • capture ICMP traffic from a host: tcpdump -i your-interface -nttev icmp and host 192.168.86.32 -w icmp.pcap, where your-interface is name of the interface passed to -i flag, -n means don't convert addresses, tt means print timestamp, -e means also prints ethernet header, -v flags makes the output verbose but since we are capturing traffic and writing it to a pcap with -w, we can skip that.

  • negation: tcpdump -nttev not arp and not icmp and host 192.168.86.69 and not host 192.168.86.248 -w your.pcap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment