Must have Wireshark filters for troubleshooting

Must have

To filter traffic on Source or Destination IP address

Ip.src==10.10.10.10

Ip.dst==10.10.10.10

Now you notice in the background any time that you get a syntax right then you’ll see that the background turns green that means that you got it correct you got the right syntax for what you’re looking for

image001

Now if you type something wrong like an address for example, that’s going be in red that tells us that Wireshark does not recognize that as an in-appropriate display filter syntax

image003

 

To filter traffic on Specific address   Ip.addr==10.10.10.1

Filter traffic using protocol

For example you want to display both DNS and HTTP now what we do is we come up to the top and we  would type in DNS that would be our first application now the mistake that’s easy to make as we could type in DNS and HTTP what this does is it requires a packet to be both DNS protocol and HTTP protocol at the same

image005

we want to go in and say DNS or HTTP what that does is it will display only the DNS traffic and HTTP traffic

image007

Filter traffic using the Port number

I can type in TCP dot port what that does is it sets a filter for a specific port number that I then specify now of course if I want this to be UDP I could put udp.port now since I don’t have a port source or port destination specification in this filter, it will show me all packets with that port as either the source port or the destination port and this is a good filter to keep in mind if we’re looking for a real specific port number that might not have a protocol associated with it.

image009

 

Filter TCP traffic using Flags

This is a filter that will show us any TCP problems in this  trace file so again if I come up and I clear the previous trace file out I can come up to my filter bar and I can type in tcp.analysis.flags now Wireshark can flag TCP problems in the trace file wherever they may occur and what this filter does is it only shows me those flags it shows me the problems that Wireshark has identified in the trace file so you can see for example here we have some duplicate acknowledgments a retransmission a TCP previous segment not captured now all of those may indicate packet loss could be window problems or whatever those TCP issues are that Wireshark has already flagged this is an excellent filter to use if we’re just trying to quickly identify whether a problem is rooted in the network or if it’s rooted in the application.

image011

 

Filtering traffic using Knot(Exclude)

If we want to create a list of protocols or applications that we’re not interested in looking at. To remove them from the trace file or to filter them out we would first use our knot symbol then we would do parentheses now this is if I want a list of things so a common one that I’ll do is I’ll say ARP  or DNS or ICMP just for example what this will do is it will remove ARP,DNS and ICMP from the trace file and only  leave whatever is left this is what we call pruning the trace file it’s cleaning up these extra things that may not be helpful to what we’re really  digging in.

image013

Filtering a conversation

When we just want to focus on one single TCP connection now we could do this manually up in the filter bar we could type in the source tcp port the destination tcp port and set that as a conversation that can get a little complicated but to do it quickly with Wireshark. I can select any packet in a TCP conversation that I’m interested in looking at right-click it and then go down to follow TCP stream now initially this will bring up the follow TCP stream content. After that you will get screen with all the packet details in HEX please close that window.

image015

 

image017

Filtering using particular text in packet

Sometime we may want to set a filter not for a port or for an IP conversation but for a text word maybe we’re digging for a certain username or we want to see if there’s a certain tab name and an application that’s sent in the packets so to do that it’s a simple filter we can come up to clear and this time we’re going to use what’s called the tcp.contains.filter now here I can  type in any clear text word that I want to and anywhere where that word may appear in any packet in this entire  trace file will be displayed so for example I can do TCP contains Facebook if I’m interested in seeing which devices are out there talking to  Facebook now once I set that filter if I come down into the clear text view  within Wireshark and we just scroll over because I mind it’s a little hidden this is where I can see where that actual word appears I see facebook.com now  remember that up here I set a filter for any TCP packet that contains the word Facebook but just as easily I could wipe this and I could type in UDP contains Facebook and that would show me all of my DNS queries to Facebook or that have that word Facebook in the packets so again this is a very useful filter if  we’re looking for things like Facebook or a username or perhaps a torrent user and again that’s the TCP or UDP contains  and in the string now.

image019

image021

Filter using the HTTP Response code

We’re going take a look at a couple very useful application filters built into Wireshark now specifically these involve HTTP. HTTP as we know it’s an application that uses requests and responses from users.I’m going to type in http.request what that will do is it will display all HTTP requests involve in this trace file I can see all the gets I can see all the server’s involved of the clients involved if there’s any retransmissions as we see here.

If I want to filter for a specific response code so I could go up to the bar up here and I can back out requests and I can type in response come down to code equals equals and then I could type in 200 for the okay responses and 400 or 500 response code if I suspect I have a server error whatever the case may be and that will filter only for the HTTP responses.

image023