Mar 222012

This is an article of mine, first published on Wazi
You can read the first part here

In this article we’ll see how apply BPF filters to wireshark to show the details of an HTTP session, an e-mail session and how to monitor who is visiting a certain site from our local network.
Finally I will make a summary of the most useful filters to use with Wireshark.

Here’s another classic example – an HTTP session. As before, start Wireshark and start capturing the traffic from the interface that goes out. Today, most HTTP traffic is compressed to speed up the exchange of information, so by default Wireshark decompresses the body part of HTTP packets. You can click on Edit -> Preferences -> Protocols -> HTTP and verify that “Uncompress entity bodies” is checked.

During the capture, set a filter to show only HTTP traffic by entering http. Each web page that any users on your network visits will generate this kind of traffic for you to catch – which may be a lot of information. Perhaps you are interested in following a particular kind of information, or a particular user. To do that, choose an http request in the main windows where you see all the packets, right-click on it, and choose the option “Follow TCP Stream.” Wireshark will open a new window containing the reconstruction of that entire HTTP session in chronological order.

You can also isolate only requests toward a specific site – Facebook, for example – to see which IP addresses are requesting it, by placing the filter http.request.uri contains facebook in the Filter field.

Now suppose you want to see all the traffic coming in and out of one specific computers. You could filter for mac-address to be sure to pinpoint the right client. To get the mac-address of the target on the other end of the connection, first issue a ping command to the hostname or URL of the target computer to learn its IP address. Then run the arp command:

arp -a

In the list returned by the arp command, search for the IP address you found with the ping command. Once you have the MAC address – say, “AA:BB:CC:DD:EE:FF” – type in the filter box:

eth.addr == AA:BB:CC:DD:EE:FF

Alternatively, you could filter by IP address, but on a network that uses DHCP to assign IP addresses, the target’s IP address could change at any time:

ip.addr ==

Click apply, and you will see only the traffic that is coming from, or going to, that IP or MAC address. With the option “ip” selected, all Internet Protocol traffic is shown, which is fine in the 99% of cases.

Instead of the ip.addr filter you can use the capture filter “Host” in this way:


By entering this setting as a capturing filter, Wireshark captures all traffic to and from, regardless of the type.

Now suppose you want to capture all traffic using specific protocols generated by a host, such as pop3, ftp, http, or messenger. In the filter box, enter:

ip.addr == and (http or ftp or messenger or pop)

This says show all the traffic generated or directed to the IP address and display only http or ftp or pop or messenger packets.

You can capture all such traffic that runs over your network with a specific address or from multiple clients:

ip.addr == 192.168.0 and (http or ftp or messenger or pop)

The Most Common Filters for Wireshark

On top of all of the filters we’ve look at so far, here are a few more useful ones. For a complete list of possible filters, refer to the official Wireshark Capture and Display filters page.

  • ip.addr== — Show all traffic from and to
  • tcp.port==80 — Show all the traffic with 80 as a source or destination port
  • ip.src== and ip.dst== — Show all the traffic that starts from and has as target
  • ftp — Show only the traffic for the ftp protocol
  • http — Show only the traffic for the http protocol
  • dns — Show only the traffic for the dns protocol
  • http.request.uri contains string — Show all http traffic where the url contains the word “string.”

BPF filter technology makes Wireshark powerful and versatile, but this is just a hint of all this tool can do. It would take a whole other article or two to cover things like how Wireshark can check for potential DDOS attacks on your network, or analyze the quality of the SIP protocol for your VOIP solution.

Popular Posts:

Flattr this!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>