Tuesday, February 18, 2014

Packet Analysis 101 - Wireshark Display Filters

Now that you're familiar with capture filters, let's discuss display filters.

It's a port scan!

Display Filters

Display filters can be applied during a live packet capture, as well as when reviewing an old packet capture like the one above (provided for the MDC3 forensics qualifying round).  

See the Filter field above?  That's where we build our expression to sift through the collected packets to display only those we're interested in reviewing.  The syntax for these expressions is different than those discussed in the capture filters post.  Here's an example of what I mean:

Filter for the "Attacker" IP
Capture Filter host
Display Filter ip.src==

See how much more specific display filters can be?  In the example above, not only are we identifying a host, we're saying we want to view all packets where that host is the source.  Using the same port scan pcap above, applying that display filter results in this:

Um, Cheat Sheets Please?

So, where do we go from here?  Learn the display filters!  Here are some examples to get you started:

Packets with port 443 tcp.port==443
Packets with destination port 443 tcp.dstport==443
HTTP GET requests http contains GET
401 authentication challenges http contains 401
Java user-agent strings http.user_agent contains Java
Packets to and from a host ip.addr==
SSL Certificates ssl.handshake.certificate

For another great cheat sheet that prints great and looks good in a binder or on your cube wall, check out PacketLife.net's Wireshark Display Filters.

PacketLife.net - Wireshark Display Filters
While you're there, be sure to download the tcpdump cheat sheet as well!  We'll be visiting PacketLife.net much more in future posts.

More on Expression Syntax

In my few examples above, you may notice a pattern or two.  The display filter begins with an argument identifier (ip, http, ssl, tcp) and can be used by itself or modified.

Using arguments by themselves is a great way to quickly sift through protocol-specific segments of a pcap.  For instance, if I'm troubleshooting a DNS issue, all I have to type is dns in the filter and all other protocols are excluded.

These arguments have tons of modifiers.  Take http for example.  Open up Wireshark and type http followed by a period "."  Wireshark recognizes that you're about to modify the filter argument and will show you a list of what's available.

To see a more comprehensive (and intimidating) list of what's available, click on the "Expression..." button.  Go ahead, I dare ya.

Switching Display Filters

The last piece to remember when using display filters is that after you apply your expression, you have to clear it out to go back to viewing the previously filter-excluded packets.  Give it a shot.  Take a packet capture, filter for http and then filter for dns.  

Next up, we'll be looking at individual packets!  I know you're as excited as I am...