In this article we’ll see how apply BPF filters to wireshark to show the details of an HTTP session, an e-mail session and how to monitor who is visiting a certain site from our local network.
Finally I will make a summary of the most useful filters to use with Wireshark.
Here’s another classic example – an HTTP session. As before, start Wireshark and start capturing the traffic from the interface that goes out. Today, most HTTP traffic is compressed to speed up the exchange of information, so by default Wireshark decompresses the body part of HTTP packets. You can click on Edit -> Preferences -> Protocols -> HTTP and verify that “Uncompress entity bodies” is checked.
During the capture, set a filter to show only HTTP traffic by entering
http. Each web page that any users on your network visits will generate this kind of traffic for you to catch – which may be a lot of information. Perhaps you are interested in following a particular kind of information, or a particular user. To do that, choose an http request in the main windows where you see all the packets, right-click on it, and choose the option “Follow TCP Stream.” Wireshark will open a new window containing the reconstruction of that entire HTTP session in chronological order.
You can also isolate only requests toward a specific site – Facebook, for example – to see which IP addresses are requesting it, by placing the filter
http.request.uri contains facebook in the Filter field.
Now suppose you want to see all the traffic coming in and out of one specific computers. You could filter for mac-address to be sure to pinpoint the right client. To get the mac-address of the target on the other end of the connection, first issue a
ping command to the hostname or URL of the target computer to learn its IP address. Then run the
ping target.com arp -a
In the list returned by the
arp command, search for the IP address you found with the ping command. Once you have the MAC address – say, “AA:BB:CC:DD:EE:FF” – type in the filter box:
eth.addr == AA:BB:CC:DD:EE:FF
Alternatively, you could filter by IP address, but on a network that uses DHCP to assign IP addresses, the target’s IP address could change at any time:
ip.addr == 192.168.0.1
Click apply, and you will see only the traffic that is coming from, or going to, that IP or MAC address. With the option “ip” selected, all Internet Protocol traffic is shown, which is fine in the 99% of cases.
Instead of the ip.addr filter you can use the capture filter “Host” in this way:
By entering this setting as a capturing filter, Wireshark captures all traffic to and from 192.168.0.1, regardless of the type.
Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:
ip.addr == 192.168.0.1 and (http or ftp or messenger or pop)
This says show all the traffic generated or directed to the IP address 192.168.0.1 and display only http or ftp or pop or messenger packets.
You can capture all such traffic that runs over your network with a specific address or from multiple clients:
ip.addr == 192.168.0 and (http or ftp or messenger or pop)
The Most Common Filters for Wireshark
- ip.addr==192.168.0.1 — Show all traffic from and to 192.168.0.1
- tcp.port==80 — Show all the traffic with 80 as a source or destination port
- ip.src==192.168.0.1 and ip.dst==10.100.1.1 — Show all the traffic that starts from 192.168.0.1 and has as target 10.100.1.1
- ftp — Show only the traffic for the ftp protocol
- http — Show only the traffic for the http protocol
- dns — Show only the traffic for the dns protocol
- http.request.uri contains string — Show all http traffic where the url contains the word “string.”
BPF filter technology makes Wireshark powerful and versatile, but this is just a hint of all this tool can do. It would take a whole other article or two to cover things like how Wireshark can check for potential DDOS attacks on your network, or analyze the quality of the SIP protocol for your VOIP solution.