Wireshark has very nice and descriptive guide with examples on their official documentation page.
To select a TCP/UDP stream in a pcap, use tcp.stream
filter, for e.g., tcp.stream eq 1
or udp.stream eq 0
. If you are analysing a packet in a pcap and want to see the entire TCP/UDP session contaning that packet, you can do this as following: right click on the packet -> select Follow
-> select TCP Stream
or UDP Stream
. You can also do the same thing by shorcut option + shift + cmd + U
for UDP and option + shift + cmd + T
for TCP on mac.
To see various statistics of different protocols use -z option on Wireshark/tshark command, for e.g., Wireshark -z conv,eth your.pcap
. Same can be done by going to the menubar and selecting Statistics
-> Coversations
from the Wireshark GUI. For more options related to this see tshark man page and serach for -z conv,
.
Wireshark filters could be used with tshark with options -R -2
or -Y
.
-
Filter pcap while reading the pcap with protocol filter "ssdp" and print the UDP and SSDP layer only in JSON format
tshark -2 -R "ssdp" -r 2075-22754-28917.pcap -T json -J "udp ssdp" -P -V
-
Same filter as above but print only specified fields in JSON format
tshark -r 2075-22754-28917.pcap -2 -R "ssdp" -T json -P -V -e eth.src -e eth.src_resolved -e eth.dst -e eth.dst_resolved -e ip.src -e ip.dst -e udp.srcport -e udp.dstport -e udp.payload -e _ws.expert.message
-
To select a partial IP address using slicing see below examples.
Let's say we are working with IP address 192.168.86.20, 192.168.86.23, and 192.168.86.1. To filter out all the packets to and from *.1 we could use filter ip.src[3] != 1 && ip.dst[3] != 1
.
- To select pcaps from source *.86.20 and *.86.23
ip.src[2-3] == 56:17 || ip.src[2-3] == 56:14
. To combine all of them with Wireshark use the command:Wireshark -R (ip.src[3] != 1 && ip.dst[3] != 1) && (ip.src[2-3] == 56:17 || ip.src[2-3] == 56:14) -r your.pcap
- Export capture time, and few Eth, IP, and TCP headers in CSV format:
tshark -2 -R "eth.src != 2a:1c:54:99:9c:13 && ((ip.src == 192.168.86.194 && tcp.flags == 0x02) || (ip.dst == 192.168.86.194 && tcp.flags == 0x12))" -T fields -e frame.time -e frame.time_epoch -e eth.src -e eth.dst -e ip.src -e ip.dst -e tcp.seq -e tcp.ack -e tcp.flags -E separator=, -E quote=d -r your_filename.pcap
-F pcap
option makes sure output is in the pcap format otherwise it will be in pcapng format by default.tshark -r input.pcap -2 -R "(ip.dst == 192.168.86.21 && (tcp.dstport || udp.dstport) == 8060) || (ip.src == 192.168.86.21 && tcp.srcport == 8060)" -F pcap -w output.pcap
.
- Filter all the trafic incoming in the local network:
ip.dst[0] == 0A || (ip.dst[0-1] >= ac:10 && ip.dst[0-1] <= ac:1f) || ip.dst[0-1] == C0:A8 || (ip.dst[0] >= E0 && ip.dst[0] <= EF)
- Filter all traffic originated from local network to the local network:
(ip.dst[0] == 0A && ip.src[0] == 0A) || (ip.dst[0-1] >= ac:10 && ip.dst[0-1] <= ac:1f && ip.src[0-1] >= ac:10 && ip.src[0-1] <= ac:1f) || (ip.dst[0-1] == C0:A8 && ip.src[0-1] == C0:A8) || (ip.dst[0] >= E0 && ip.dst[0] <= EF)
- The above two filters are perfect if there is no ICMP traffic,
- Retransmitted packets can be found through the display filter
tcp.analysis.retransmission
(more filters) - When the receiver gets an out-of-order packet (usually indicates lost packet), it sends a ACK for the missing seq number. This is a duplicate ACK and these can be found by using
tcp.analysis.duplicate_ack
(explanation)
A great tcpdump tutorial by Daniel Miessler is here. Official tcpdump documentation is here.
Examples:
-
if you want to read a pcap and filter all the packets with taffic on port 1900, you can do that by using tcpdump command
tcpdump -s 0 -r your.pcap port 1900 -w your-port-1900.pcap
. Explanation of options:-s 0
means size is not limited,-r
to read a pcap,-w
to write the pcap, andport 1900
is the filter. -
capture ICMP traffic from a host:
tcpdump -i your-interface -nttev icmp and host 192.168.86.32 -w icmp.pcap
, whereyour-interface
is name of the interface passed to-i
flag,-n
means don't convert addresses,tt
means print timestamp,-e
means also prints ethernet header,-v
flags makes the output verbose but since we are capturing traffic and writing it to a pcap with-w
, we can skip that. -
negation:
tcpdump -nttev not arp and not icmp and host 192.168.86.69 and not host 192.168.86.248 -w your.pcap
.