How to Use Filters with Wireshark

 Articles, Guides  Add comments
Mar 192012
 

This is an article of mine, first published on Wazi

Some find the fine art of capturing and interpreting the packets that run through your network to be as arcane as reading The Matrix, but you don’t need to be the new Neo to be able to parse the network flux. A powerful ally can help you in this mission: Wireshark, a powerful software tool to analyze your network traffic.

Wireshark is several tools in one application. You can use it to analyze the structure of your wireless network in search of potential configuration errors. It can identify many types of encapsulation and isolate and display all the fields that make up a network packet. It also works as a packet sniffer, similar to tcpdump.

With all of those powerful capabilities, you might think Wireshark would be hard to learn. In some respects it is, but you can easily learn how to use some of the filters that come with the software and let you zero in on specific clients and kinds of traffic. In this article I’ll show you several ways to use Wireshark to focus your searches.



When I say “filters,” I’m referring to Berkeley Packet Filters (BPF). BPF is actually a micro-programming language (complete with mnemonics in assembly!) that is compiled and executed at runtime against packets intercepted by tools such as tcpdump and Wireshark. Filters are essential when you’re trying to isolate a very small subset of packets among the hundreds of thousands per second that pass over a 100Mbps network. Filters are compiled so that they run with the best possible performance, which is important when you’re doing a capture in real time.

Using filters in Wireshark is simple. You need to know only the field names of each individual protocol, such as http, icmp, and ftp. For example, if you want to display only ICMP packets, you can just write icmp in the Wireshark filter’s main window. If you want to highlight all the packets that are coming or going to a specific IP address, say 10.100.1.1, the filter would be ip.dst == 10.100.1.1 || ip.src == 10.100.1.1, which translated means display only those packets where the destination field (ip.dst) or (||) the source field (ip.src) of the IP protocol matches (==) 10.100.1.1.

wireshark_screenshot_001

Capture and Display Filters

Wireshark has two kind of filters. Capture filters, as the name says, are used to capture only some of the traffic, while display filters are applied to the captured traffic to show only some packets, according to the rules you use. In this article we’ll talk about both kinds.

Let’s start by installing Wireshark. The application is available as a binary package in all the main distributions, so you can use your favorite package manager: sudo apt-get install wireshark under Debian or Ubuntu,emerge wireshark under Gentoo, or yum install wireshark under Red Hat or CentOS.

Let’s start with a classic example that shows people why using the FTP protocol is a bad idea. Start Wireshark by typing at a terminal:

sudo wireshark

You can begin to capture traffic by going to the left panel of the Wireshark window and clicking on Capture/Interfaces. Choose the interface that goes “out” to the network (for example eth1) and click on Start, and Wireshark will start examining all the packets in transit on the network.

wireshark_screenshot_002

Now open a second terminal window and invoke a normal FTP session. Enter the login name and password, run some FTP commands, then close the session. Return to the main Wireshark window, and you should see that many packets have passed over the network since the moment you started capturing. Click Stop Capture (or press Ctrl+E); then you can examine the traffic you’ve got.

Figuring out something from what is probably a large amount of traffic is not simple, until you use a BPF filter. You want one that shows only packets that are part of an FTP connection, so in the Filter field type “ftp.” Immediately the traffic of your session should be highlighted, and in a stunning display of poor security, you’ll see clearly your username and password. It will look something like this:

356	101.676753	10.100.1.1	192.168.0.4	FTP	86	Response: 220 (vsFTPd 1.1.3)
360	104.546659	192.168.0.4	10.100.1.1	FTP	77	Request: USER wazi
362	104.594520	10.100.1.1	192.168.0.4	FTP	100	Response: 331 Please specify the password.
366	106.530150	192.168.0.4	10.100.1.1	FTP	77	Request: PASS mytest
371	108.922240	10.100.1.1	192.168.0.4	FTP	88	Response: 530 Login incorrect.

If this result doesn’t convince your colleagues to quit using FTP and turn to OpenSSH, there’s no hope for them.

Here ends the first part, but if the topic interests you, do not miss the second part “More fun with Wireshark filters

Popular Posts:

    None Found

Flattr this!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

CAPTCHA

*