Capture Filter Syntax

These filters use byte offsets hex values and masks with boolean operators, and it is not easy to understand/predict the filter's purpose at first glance. The base syntax is explained below:

• Scope: host, net, port and portrange.
• Direction: src, dst, src or dst, src and dst,
• Protocol: ether, wlan, ip, ip6, arp, rarp, tcp and udp.
• Sample filter to capture port 80 traffic: tcp port 80

Comparison Operators

You can create display filters by using different comparison operators to find the event of interest. The primary operators are shown in the table below.

English	C-Like	Description	Example
eq	==	Equal	ip.src == 10.10.10.100
ne	!=	Not equal	ip.src != 10.10.10.100
gt	>	Greater than	ip.ttl > 250
lt	<	Less Than	ip.ttl < 10
ge	>=	Greater than or equal to	ip.ttl >= 0xFA
le	<=	Less than or equal to	ip.ttl <= 0xA

Note: Wireshark supports decimal and hexadecimal values in filtering. You can use any format you want according to the search you will conduct.

Logical Expressions

Wireshark supports boolean syntax. You can create display filters by using logical operators as well.

English	C-Like	Description	Example
and	&&	Logical AND	(ip.src == 10.10.10.100) AND (ip.src == 10.10.10.111)
or	||	Logical OR	(ip.src == 10.10.10.100) OR (ip.src == 10.10.10.111)
not	!	Logical NOT	!(ip.src == 10.10.10.222) Note: Usage of !=value is deprecated; using it could provide inconsistent results. Using the !(value) style is suggested for more consistent results.

IP Filters

IP filters help analysts filter the traffic according to the IP level information from the packets (Network layer of the OSI model). This is one of the most commonly used filters in Wireshark. These filters filter network-level information like IP addresses, version, time to live, type of service, flags, and checksum values.

The common filters are shown in the given table.

Filter	Description
ip	Show all IP packets.
ip.addr == 10.10.10.111	Show all packets containing IP address 10.10.10.111.
ip.addr == 10.10.10.0/24	Show all packets containing IP addresses from 10.10.10.0/24 subnet.
ip.src == 10.10.10.111	Show all packets originated from 10.10.10.111
ip.dst == 10.10.10.111	Show all packets sent to 10.10.10.111
ip.addr vs ip.src/ip.dst	Note: The ip.addr filters the traffic without considering the packet direction. The ip.src/ip.dst filters the packet depending on the packet direction.

TCP and UDP Filters

TCP filters help analysts filter the traffic according to protocol-level information from the packets (Transport layer of the OSI model). These filters filter transport protocol level information like source and destination ports, sequence number, acknowledgement number, windows size, timestamps, flags, length and protocol errors.

Filter	Description	Filter	Expression
tcp.port == 80	Show all TCP packets with port 80	udp.port == 53	Show all UDP packets with port 53
tcp.srcport == 1234	Show all TCP packets originating from port 1234	udp.srcport == 1234	Show all UDP packets originating from port 1234
tcp.dstport == 80	Show all TCP packets sent to port 80	udp.dstport == 5353	Show all UDP packets sent to port 5353

Application Level Protocol Filters | HTTP and DNS

Application-level protocol filters help analysts filter the traffic according to application protocol level information from the packets (Application layer of the OSI model ). These filters filter application-specific information, like payload and linked data, depending on the protocol type.

Filter	Description	Filter	Description
http	Show all HTTP packets	dns	Show all DNS packets
http.response.code == 200	Show all packets with HTTP response code "200"	dns.flags.response == 0	Show all DNS requests
http.request.method == "GET"	Show all HTTP GET requests	dns.flags.response == 1	Show all DNS responses
http.request.method == "POST"	Show all HTTP POST requests	dns.qry.type == 1	Show all DNS "A" records

Filter: "contains"

Filter	contains
Type	Comparison Operator
Description	Search a value inside packets. It is case-sensitive and provides similar functionality to the "Find" option by focusing on a specific field.
Example	Find all "Apache" servers.
Workflow	List all HTTP packets where packets' "server" field contains the "Apache" keyword.
Usage	http.server contains "Apache"

Filter: "matches"

Filter	matches
Type	Comparison Operator
Description	Search a pattern of a regular expression. It is case insensitive, and complex queries have a margin of error.
Example	Find all .php and .html pages.
Workflow	List all HTTP packets where packets' "host" fields match keywords ".php" or ".html".
Usage	http.host matches ".(php|html)"

Filter: "in"

Filter	in
Type	Set Membership
Description	Search a value or field inside of a specific scope/range.
Example	Find all packets that use ports 80, 443 or 8080.
Workflow	List all TCP packets where packets' "port" fields have values 80, 443 or 8080.
Usage	tcp.port in {80 443 8080}

Filter: "upper"

Filter	upper
Type	Function
Description	Convert a string value to uppercase.
Example	Find all "APACHE" servers.
Workflow	Convert all HTTP packets' "server" fields to uppercase and list packets that contain the "APACHE" keyword.
Usage	upper(http.server) contains "APACHE"

Filter: "lower"

Filter	lower
Type	Function
Description	Convert a string value to lowercase.
Example	Find all "apache" servers.
Workflow	Convert all HTTP packets' "server" fields info to lowercase and list packets that contain the "apache" keyword.
Usage	lower(http.server) contains "apache"

Filter: "string"

Filter	string
Type	Function
Description	Convert a non-string value to a string.
Example	Find all frames with odd numbers.
Workflow	Convert all "frame number" fields to string values, and list frames end with odd values.
Usage	string(frame.number) matches "[13579]$"

Nmap Scans

Nmap is an industry-standard tool for mapping networks, identifying live hosts and discovering the services. As it is one of the most used network scanner tools, a security analyst should identify the network patterns created with it. This section will cover identifying the most common Nmap scan types.

• TCP connect scans
• SYN scans
• UDP scans

It is essential to know how Nmap scans work to spot scan activity on the network. However, it is impossible to understand the scan details without using the correct filters. Below are the base filters to probe Nmap scan behaviour on the network.

TCP flags in a nutshell.

Notes	Wireshark Filters
Global search.	• tcp • udp
• Only SYN flag. • SYN flag is set. The rest of the bits are not important.	• tcp.flags == 2 • tcp.flags.syn == 1
• Only ACK flag. • ACK flag is set. The rest of the bits are not important.	• tcp.flags == 16 • tcp.flags.ack == 1
• Only SYN, ACK flags. • SYN and ACK are set. The rest of the bits are not important.	• tcp.flags == 18 • (tcp.flags.syn == 1) and (tcp.flags.ack == 1)
• Only RST flag. • RST flag is set. The rest of the bits are not important.	• tcp.flags == 4 • tcp.flags.reset == 1
• Only RST, ACK flags. • RST and ACK are set. The rest of the bits are not important.	• tcp.flags == 20 • (tcp.flags.reset == 1) and (tcp.flags.ack == 1)
• Only FIN flag • FIN flag is set. The rest of the bits are not important.	• tcp.flags == 1 • tcp.flags.fin == 1

TCP Connect Scans

TCP Connect Scan in a nutshell:

• Relies on the three-way handshake (needs to finish the handshake process).
• Usually conducted with nmap -sT command.
• Used by non-privileged users (only option for a non-root user).
• Usually has a windows size larger than 1024 bytes as the request expects some data due to the nature of the protocol.

Open TCP Port	Open TCP Port	Closed TCP Port
• SYN –> • <– SYN, ACK • ACK –>	• SYN –> • <– SYN, ACK • ACK –> • RST, ACK –>	• SYN –> • <– RST, ACK

SYN Scans

TCP SYN Scan in a nutshell:

• Doesn't rely on the three-way handshake (no need to finish the handshake process).
• Usually conducted with nmap -sS command.
• Used by privileged users.
• Usually have a size less than or equal to 1024 bytes as the request is not finished and it doesn't expect to receive data.

Open TCP Port	Close TCP Port
• SYN –> • <– SYN,ACK • RST–>	• SYN –> • <– RST,ACK

UDP Scans

UDP Scan in a nutshell:

• Doesn't require a handshake process
• No prompt for open ports
• ICMP error message for close ports
• Usually conducted with nmap -sU command.

Open UDP Port	Closed UDP Port
• UDP packet –>	• UDP packet –> • ICMP Type 3, Code 3 message. (Destination unreachable, port unreachable)

ARP analysis in a nutshell:

• Works on the local network
• Enables the communication between MAC addresses
• Not a secure protocol
• Not a routable protocol
• It doesn't have an authentication function
• Common patterns are request & response, announcement and gratuitous packets.

Before investigating the traffic, let's review some legitimate and suspicious ARP packets. The legitimate requests are similar to the shown picture: a broadcast request that asks if any of the available hosts use an IP address and a reply from the host that uses the particular IP address.

Notes	Wireshark filter
Global search	• arp
"ARP" options for grabbing the low-hanging fruits: • Opcode 1: ARP requests. • Opcode 2: ARP responses. • Hunt: Arp scanning • Hunt: Possible ARP poisoning detection • Hunt: Possible ARP flooding from detection:	• arp.opcode == 1 • arp.opcode == 2 • arp.dst.hw_mac==00:00:00:00:00:00 • arp.duplicate-address-detected or arp.duplicate-address-frame • ((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == target-mac-address)

FLAGS

Notes	Detection Notes	Findings
Possible IP address match.	1 IP address announced from a MAC address.	• MAC: 00:0c:29:e2:18:b4 • IP: 192.168.1.25
Possible ARP spoofing attempt.	2 MAC addresses claimed the same IP address (192.168.1.1).The " 192.168.1.1" IP address is a possible gateway address.	• MAC1: 50:78:b3:f3:cd:f4 • MAC 2: 00:0c:29:e2:18:b4
Possible ARP flooding attempt.	The MAC address that ends with "b4" claims to have a different/new IP address.	• MAC: 00:0c:29:e2:18:b4 • IP: 192.168.1.1

Detection Notes	Findings
IP to MAC matches.	3  IP to MAC address matches.
Attacker	The attacker created noise with ARP packets.
Router/gateway	Gateway address.
Victim	The attacker sniffed all traffic of the victim.

DHCP Analysis

DHCP protocol, or Dynamic Host Configuration Protocol (DHCP), is the technology responsible for managing automatic IP address and required communication parameters assignment.

DHCP investigation in a nutshell:

Notes	Wireshark Filter
Global search.	• dhcp or bootp
Filtering the proper DHCP packet options is vital to finding an event of interest.  • "DHCP Request" packets contain the hostname information • "DHCP ACK" packets represent the accepted requests • "DHCP NAK" packets represent denied requests Due to the nature of the protocol, only "Option 53" ( request type) has predefined static values. You should filter the packet type first, and then you can filter the rest of the options by "applying as column" or use the advanced filters like "contains" and "matches".	• Request: dhcp.option.dhcp == 3 • ACK: dhcp.option.dhcp == 5 • NAK: dhcp.option.dhcp == 6
"DHCP Request" options for grabbing the low-hanging fruits: • Option 12: Hostname. • Option 50: Requested IP address. • Option 51: Requested IP lease time. • Option 61: Client's MAC address.	• dhcp.option.hostname contains "keyword"
"DHCP ACK" options for grabbing the low-hanging fruits: • Option 15: Domain name. • Option 51: Assigned IP lease time.	• dhcp.option.domain_name contains "keyword"
"DHCP NAK" options for grabbing the low-hanging fruits: • Option 56: Message (rejection details/reason).	As the message could be unique according to the case/situation, It is suggested to read the message instead of filtering it. Thus, the analyst could create a more reliable hypothesis/result by understanding the event circumstances.

NetBIOS (NBNS) Analysis

NetBIOS or Network Basic Input/Output System is the technology responsible for allowing applications on different hosts to communicate with each other.

NBNS investigation in a nutshell:

Notes	Wireshark Filter
Global search.	• nbns
"NBNS" options for grabbing the low-hanging fruits: • Queries: Query details. • Query details could contain "name, Time to live (TTL) and IP address details"	• nbns.name contains "keyword"

Kerberos Analysis

Kerberos is the default authentication service for Microsoft Windows domains. It is responsible for authenticating service requests between two or more computers over the untrusted network. The ultimate aim is to prove identity securely.

Kerberos investigation in a nutshell:

Notes	Wireshark Filter
Global search.	• kerberos
User account search: • CNameString: The username. Note: Some packets could provide hostname information in this field. To avoid this confusion, filter the "$" value. The values end with "$" are hostnames, and the ones without it are user names.	• kerberos.CNameString contains "keyword"  • kerberos.CNameString and !(kerberos.CNameString contains "$" )
"Kerberos" options for grabbing the low-hanging fruits: • pvno: Protocol version. • realm: Domain name for the generated ticket. • sname: Service and domain name for the generated ticket. • addresses: Client IP address and NetBIOS name. Note: the "addresses" information is only available in request packets.	• kerberos.pvno == 5 • kerberos.realm contains ".org"  • kerberos.SNameString == "krbtg"

ICMP Analysis

Internet Control Message Protocol (ICMP) is designed for diagnosing and reporting network communication issues. It is highly used in error reporting and testing. As it is a trusted network layer protocol, sometimes it is used for denial of service (DoS) attacks; also, adversaries use it in data exfiltration and C2 tunnelling activities.

ICMP analysis in a nutshell:

Usually, ICMP tunnelling attacks are anomalies appearing/starting after a malware execution or vulnerability exploitation. As the ICMP packets can transfer an additional data payload, adversaries use this section to exfiltrate data and establish a C2 connection. It could be a TCP, HTTP or SSH data. As the ICMP protocols provide a great opportunity to carry extra data, it also has disadvantages. Most enterprise networks block custom packets or require administrator privileges to create custom ICMP packets.

A large volume of ICMP traffic or anomalous packet sizes are indicators of ICMP tunnelling. Still, the adversaries could create custom packets that match the regular ICMP packet size (64 bytes), so it is still cumbersome to detect these tunnelling activities. However, a security analyst should know the normal and the abnormal to spot the possible anomaly and escalate it for further analysis.

Notes	Wireshark filters
Global search	• icmp
"ICMP" options for grabbing the low-hanging fruits: • Packet length. • ICMP destination addresses. • Encapsulated protocol signs in ICMP payload.	• data.len > 64 and icmp

DNS Analysis

Domain Name System (DNS) is designed to translate/convert IP domain addresses to IP addresses. It is also known as a phonebook of the internet. As it is the essential part of web services, it is commonly used and trusted, and therefore often ignored. Due to that, adversaries use it in data exfiltration and C2 activities.

DNS analysis in a nutshell:

Similar to ICMP tunnels, DNS attacks are anomalies appearing/starting after a malware execution or vulnerability exploitation. Adversary creates (or already has) a domain address and configures it as a C2 channel. The malware or the commands executed after exploitation sends DNS queries to the C2 server. However, these queries are longer than default DNS queries and crafted for subdomain addresses. Unfortunately, these subdomain addresses are not actual addresses; they are encoded commands as shown below:

"encoded-commands.maliciousdomain.com"

When this query is routed to the C2 server, the server sends the actual malicious commands to the host. As the DNS queries are a natural part of the networking activity, these packets have the chance of not being detected by network perimeters. A security analyst should know how to investigate the DNS packet lengths and target addresses to spot these anomalies.

Notes	Wireshark Filter
Global search	• dns
"DNS" options for grabbing the low-hanging fruits: • Query length. • Anomalous and non-regular names in DNS addresses. • Long DNS addresses with encoded subdomain addresses. • Known patterns like dnscat and dns2tcp. • Statistical analysis like the anomalous volume of DNS requests for a particular target. !mdns: Disable local link device queries.	• dns contains "dnscat" • dns.qry.name.len > 15 and !mdns

FTP Analysis

File Transfer Protocol (FTP) is designed to transfer files with ease, so it focuses on simplicity rather than security. As a result of this, using this protocol in unsecured environments could create security issues like:

• MITM attacks
• Credential stealing and unauthorised access
• Phishing
• Malware planting
• Data exfiltration

FTP analysis in a nutshell:

Notes	Wireshark Filter
Global search	• ftp
"FTP" options for grabbing the low-hanging fruits: • x1x series: Information request responses. • x2x series: Connection messages. • x3x series: Authentication messages. Note: "200" means command successful.	—
"x1x" series options for grabbing the low-hanging fruits: • 211: System status. • 212: Directory status. • 213: File status	• ftp.response.code == 211
"x2x" series options for grabbing the low-hanging fruits: • 220: Service ready. • 227: Entering passive mode. • 228: Long passive mode. • 229: Extended passive mode.	• ftp.response.code == 227
"x3x" series options for grabbing the low-hanging fruits: • 230: User login. • 231: User logout. • 331: Valid username. • 430: Invalid username or password • 530: No login, invalid password.	• ftp.response.code == 230
"FTP" commands for grabbing the low-hanging fruits: • USER: Username. • PASS: Password. • CWD: Current work directory. • LIST: List.	• ftp.request.command == "USER" • ftp.request.command == "PASS" • ftp.request.arg == "password"
Advanced usages examples for grabbing low-hanging fruits: • Bruteforce signal: List failed login attempts. • Bruteforce signal: List target username. • Password spray signal: List targets for a static password.	• ftp.response.code == 530 • (ftp.response.code == 530) and (ftp.response.arg contains "username") • (ftp.request.command == "PASS" ) and (ftp.request.arg == "password")

HTTP Analysis

Hypertext Transfer Protocol (HTTP) is a cleartext-based, request-response and client-server protocol. It is the standard type of network activity to request/serve web pages, and by default, it is not blocked by any network perimeter. As a result of being unencrypted and the backbone of web traffic, HTTP is one of the must-to-know protocols in traffic analysis. Following attacks could be detected with the help of HTTP analysis:

• Phishing pages
• Web attacks
• Data exfiltration
• Command and control traffic (C2)

HTTP analysis in a nutshell:

Notes	Wireshark Filter
Global search Note: HTTP2 is a revision of the HTTP protocol for better performance and security. It supports binary data transfer and request&response multiplexing.	• http • http2
"HTTP Request Methods" for grabbing the low-hanging fruits: • GET • POST • Request: Listing all requests	• http.request.method == "GET" • http.request.method == "POST" • http.request
"HTTP Response Status Codes" for grabbing the low-hanging fruits: • 200 OK: Request successful. • 301 Moved Permanently: Resource is moved to a new URL/path (permanently). • 302 Moved Temporarily: Resource is moved to a new URL/path (temporarily). • 400 Bad Request: Server didn't understand the request. • 401 Unauthorised: URL needs authorisation (login, etc.). • 403 Forbidden: No access to the requested URL.  • 404 Not Found: Server can't find the requested URL. • 405 Method Not Allowed: Used method is not suitable or blocked. • 408 Request Timeout:  Request look longer than server wait time. • 500 Internal Server Error: Request not completed, unexpected error. • 503 Service Unavailable: Request not completed server or service is down.	• http.response.code == 200 • http.response.code == 401 • http.response.code == 403 • http.response.code == 404 • http.response.code == 405 • http.response.code == 503
"HTTP Parameters" for grabbing the low-hanging fruits: • User agent: Browser and operating system identification to a web server application. • Request URI: Points the requested resource from the server. • Full *URI: Complete URI information. *URI: Uniform Resource Identifier.	• http.user_agent contains "nmap" • http.request.uri contains "admin" • http.request.full_uri contains "admin"
"HTTP Parameters" for grabbing the low-hanging fruits: • Server: Server service name. • Host: Hostname of the server • Connection: Connection status. • Line-based text data: Cleartext data provided by the server. • HTML Form URL Encoded: Web form information.	• http.server contains "apache" • http.host contains "keyword" • http.host == "keyword" • http.connection == "Keep-Alive" • data-text-lines contains "keyword"

User Agent Analysis

As the adversaries use sophisticated technics to accomplish attacks, they try to leave traces similar to natural traffic through the known and trusted protocols. For a security analyst, it is important to spot the anomaly signs on the bits and pieces of the packets. The "user-agent" field is one of the great resources for spotting anomalies in HTTP traffic. In some cases, adversaries successfully modify the user-agent data, which could look super natural. A security analyst cannot rely only on the user-agent field to spot an anomaly. Never whitelist a user agent, even if it looks natural. User agent-based anomaly/threat detection/hunting is an additional data source to check and is useful when there is an obvious anomaly. If you are unsure about a value, you can conduct a web search to validate your findings with the default and normal user-agent info (example site).

User Agent analysis in a nutshell:

Notes	Wireshark Filter
Global search.	• http.user_agent
Research outcomes for grabbing the low-hanging fruits: • Different user agent information from the same host in a short time notice. • Non-standard and custom user agent info. • Subtle spelling differences. ("Mozilla" is not the same as  "Mozlilla" or "Mozlila") • Audit tools info like Nmap, Nikto, Wfuzz and sqlmap in the user agent field. • Payload data in the user agent field.	• (http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "Wfuzz") or (http.user_agent contains "Nikto")

Decrypting HTTPS Traffic

When investigating web traffic, analysts often run across encrypted traffic. This is caused by using the Hypertext Transfer Protocol Secure (HTTPS) protocol for enhanced security against spoofing, sniffing and intercepting attacks. HTTPS uses TLS protocol to encrypt communications, so it is impossible to decrypt the traffic and view the transferred data without having the encryption/decryption key pairs. As this protocol provides a good level of security for transmitting sensitive data, attackers and malicious websites also use HTTPS. Therefore, a security analyst should know how to use key files to decrypt encrypted traffic and investigate the traffic activity.

The packets will appear in different colours as the HTTP traffic is encrypted. Also, protocol and info details (actual URL address and data returned from the server) will not be fully visible. The first image below shows the HTTP packets encrypted with the TLS protocol. The second and third images demonstrate filtering HTTP packets without using a key log file.

Additional information for HTTPS :

Notes	Wireshark Filter
"HTTPS Parameters" for grabbing the low-hanging fruits: • Request: Listing all requests • TLS: Global TLS search • TLS Client Request • TLS Server response • Local Simple Service Discovery Protocol (SSDP) Note: SSDP is a network protocol that provides advertisement and discovery of network services.	• http.request • tls • tls.handshake.type == 1 • tls.handshake.type == 2 • ssdp

Wireshark is a good tool for starting a network security investigation. However, it is not enough to stop the threats. A security analyst should have IDS/IPS knowledge and extended tool skills to detect and prevent anomalies and threats. As the attacks are getting more sophisticated consistently, the use of multiple tools and detection strategies becomes a requirement. The following rooms will help you step forward in network traffic analysis and anomaly/threat detection.

• NetworkMiner
• Snort
• Snort Challenge – The Basics
• Snort Challenge – Live Attacks
• Zeek
• Zeek Exercises
• Brim