Friday, January 31, 2014

Packet Analysis 101 - Wireshark Capture Filters

We're going to first discuss one of the two types of filtering available with Wireshark: capture filters.  Before I go any further, if you're confused about what filters are and/or what Wireshark is, check out my first blog post to learn how to take a packet capture.

Capture Filters


An often underused (where's the love?) component of Wireshark is the capture filter.  Most people fire up Wireshark, select an interface and start capturing everything.  That's great unless you have a scenario where you need to leave a capture running for a long period of time and/or have to sift through a huge amount of packets.  Side note: This is also extremely handy in the Capture the Packet CTF.


To set a capture filter, look for the Capture Options button on the left side underneath the interface listing.  In the pop-up window, look for the Capture Filter option on the left and when you click it you'll see the short list of pre-defined capture filters.


 You can select one of the templates and modify it to target the data you're hunting/troubleshooting.

Selecting the template
Changing the default value from "192.168.0.1" to 172.16.90.101
Note the other parameters you can set, such as a time or size limit.  When you modify a filter template or enter your own expression (based on those allowed), until it's in the proper syntax, Wireshark will highlight the Capture Filter field in red.  Once you set the capture filter and click Start, Wireshark will begin monitoring the chosen interface using that capture criteria.

It's important to note that the capture filters are a different syntax than the display filters, and they're based on tcpdump filters.  Check out a list of some sample capture filters.

Create Your Own Capture Filter

To create your own filter, when you have the Capture Filter pop-up open, click on New.  Change the Filter name and Filter string fields to the values you want, and click OK.

This example looks for HTTP GET requests, excerpted from the Wireshark Capture Filter wiki page
When you open the capture filter list again, your new entry will be there!  As I collect use cases for capture filters, I'll post a page with an index for easy reference.

Next up, we'll be discussing display filters.