Capture Filter Syntax
These filters use byte offsets hex values and masks with boolean operators, and it is not easy to understand/predict the filter's purpose at first glance. The base syntax is explained below:
- Scope: host, net, port and portrange.
- Direction: src, dst, src or dst, src and dst,
- Protocol: ether, wlan, ip, ip6, arp, rarp, tcp and udp.
- Sample filter to capture port 80 traffic:
tcp port 80
Comparison Operators
You can create display filters by using different comparison operators to find the event of interest. The primary operators are shown in the table below.
| English | C-Like | Description | Example |
| eq | == | Equal | ip.src == 10.10.10.100 |
| ne | != | Not equal | ip.src != 10.10.10.100 |
| gt | > | Greater than | ip.ttl > 250 |
| lt | < | Less Than | ip.ttl < 10 |
| ge | >= | Greater than or equal to | ip.ttl >= 0xFA |
| le | <= | Less than or equal to | ip.ttl <= 0xA |
Note: Wireshark supports decimal and hexadecimal values in filtering. You can use any format you want according to the search you will conduct.
Logical Expressions
Wireshark supports boolean syntax. You can create display filters by using logical operators as well.
| English | C-Like | Description | Example |
| and | && | Logical AND | (ip.src == 10.10.10.100) AND (ip.src == 10.10.10.111) |
| or | || | Logical OR | (ip.src == 10.10.10.100) OR (ip.src == 10.10.10.111) |
| not | ! | Logical NOT | !(ip.src == 10.10.10.222)
Note: Usage of !=value is deprecated; using it could provide inconsistent results. Using the !(value) style is suggested for more consistent results. |
IP Filters
IP filters help analysts filter the traffic according to the IP level information from the packets (Network layer of the OSI model). This is one of the most commonly used filters in Wireshark. These filters filter network-level information like IP addresses, version, time to live, type of service, flags, and checksum values.
The common filters are shown in the given table.
| Filter | Description |
ip | Show all IP packets. |
ip.addr == 10.10.10.111 | Show all packets containing IP address 10.10.10.111. |
ip.addr == 10.10.10.0/24 | Show all packets containing IP addresses from 10.10.10.0/24 subnet. |
ip.src == 10.10.10.111 | Show all packets originated from 10.10.10.111 |
ip.dst == 10.10.10.111 | Show all packets sent to 10.10.10.111 |
| ip.addr vs ip.src/ip.dst | Note: The ip.addr filters the traffic without considering the packet direction. The ip.src/ip.dst filters the packet depending on the packet direction. |
TCP and UDP Filters
TCP filters help analysts filter the traffic according to protocol-level information from the packets (Transport layer of the OSI model). These filters filter transport protocol level information like source and destination ports, sequence number, acknowledgement number, windows size, timestamps, flags, length and protocol errors.
| Filter | Description | Filter | Expression |
tcp.port == 80 | Show all TCP packets with port 80 | udp.port == 53 | Show all UDP packets with port 53 |
tcp.srcport == 1234 | Show all TCP packets originating from port 1234 | udp.srcport == 1234 | Show all UDP packets originating from port 1234 |
tcp.dstport == 80 | Show all TCP packets sent to port 80 | udp.dstport == 5353 | Show all UDP packets sent to port 5353 |
Application Level Protocol Filters | HTTP and DNS
Application-level protocol filters help analysts filter the traffic according to application protocol level information from the packets (Application layer of the OSI model ). These filters filter application-specific information, like payload and linked data, depending on the protocol type.
| Filter | Description | Filter | Description |
http | Show all HTTP packets | dns | Show all DNS packets |
http.response.code == 200 | Show all packets with HTTP response code "200" | dns.flags.response == 0 | Show all DNS requests |
http.request.method == "GET" | Show all HTTP GET requests | dns.flags.response == 1 | Show all DNS responses |
http.request.method == "POST" | Show all HTTP POST requests | dns.qry.type == 1 | Show all DNS "A" records |
Filter: "contains"
| Filter | contains |
| Type | Comparison Operator |
| Description | Search a value inside packets. It is case-sensitive and provides similar functionality to the "Find" option by focusing on a specific field. |
| Example | Find all "Apache" servers. |
| Workflow | List all HTTP packets where packets' "server" field contains the "Apache" keyword. |
| Usage | http.server contains "Apache" |
Filter: "matches"
| Filter | matches |
| Type | Comparison Operator |
| Description | Search a pattern of a regular expression. It is case insensitive, and complex queries have a margin of error. |
| Example | Find all .php and .html pages. |
| Workflow | List all HTTP packets where packets' "host" fields match keywords ".php" or ".html". |
| Usage | http.host matches ".(php|html)" |
Filter: "in"
| Filter | in |
| Type | Set Membership |
| Description | Search a value or field inside of a specific scope/range. |
| Example | Find all packets that use ports 80, 443 or 8080. |
| Workflow | List all TCP packets where packets' "port" fields have values 80, 443 or 8080. |
| Usage | tcp.port in {80 443 8080} |
Filter: "upper"
| Filter | upper |
| Type | Function |
| Description | Convert a string value to uppercase. |
| Example | Find all "APACHE" servers. |
| Workflow | Convert all HTTP packets' "server" fields to uppercase and list packets that contain the "APACHE" keyword. |
| Usage | upper(http.server) contains "APACHE" |
Filter: "lower"
| Filter | lower |
| Type | Function |
| Description | Convert a string value to lowercase. |
| Example | Find all "apache" servers. |
| Workflow | Convert all HTTP packets' "server" fields info to lowercase and list packets that contain the "apache" keyword. |
| Usage | lower(http.server) contains "apache" |
Filter: "string"
| Filter | string |
| Type | Function |
| Description | Convert a non-string value to a string. |
| Example | Find all frames with odd numbers. |
| Workflow | Convert all "frame number" fields to string values, and list frames end with odd values. |
| Usage | string(frame.number) matches "[13579]$" |
Nmap Scans
Nmap is an industry-standard tool for mapping networks, identifying live hosts and discovering the services. As it is one of the most used network scanner tools, a security analyst should identify the network patterns created with it. This section will cover identifying the most common Nmap scan types.
- TCP connect scans
- SYN scans
- UDP scans
It is essential to know how Nmap scans work to spot scan activity on the network. However, it is impossible to understand the scan details without using the correct filters. Below are the base filters to probe Nmap scan behaviour on the network.
TCP flags in a nutshell.
| Notes | Wireshark Filters |
| Global search. | • tcp
• udp |
| • Only SYN flag. • SYN flag is set. The rest of the bits are not important. | • tcp.flags == 2
• tcp.flags.syn == 1 |
| • Only ACK flag. • ACK flag is set. The rest of the bits are not important. | • tcp.flags == 16
• tcp.flags.ack == 1 |
| • Only SYN, ACK flags. • SYN and ACK are set. The rest of the bits are not important. | • tcp.flags == 18
• (tcp.flags.syn == 1) and (tcp.flags.ack == 1) |
| • Only RST flag. • RST flag is set. The rest of the bits are not important. | • tcp.flags == 4
• tcp.flags.reset == 1 |
| • Only RST, ACK flags. • RST and ACK are set. The rest of the bits are not important. | • tcp.flags == 20
• (tcp.flags.reset == 1) and (tcp.flags.ack == 1) |
| • Only FIN flag • FIN flag is set. The rest of the bits are not important. | • tcp.flags == 1
• tcp.flags.fin == 1 |
TCP Connect Scans
TCP Connect Scan in a nutshell:
- Relies on the three-way handshake (needs to finish the handshake process).
- Usually conducted with
nmap -sTcommand. - Used by non-privileged users (only option for a non-root user).
- Usually has a windows size larger than 1024 bytes as the request expects some data due to the nature of the protocol.
| Open TCP Port | Open TCP Port | Closed TCP Port |
| • SYN –> • <– SYN, ACK • ACK –> | • SYN –> • <– SYN, ACK • ACK –> • RST, ACK –> | • SYN –> • <– RST, ACK |
SYN Scans
TCP SYN Scan in a nutshell:
- Doesn't rely on the three-way handshake (no need to finish the handshake process).
- Usually conducted with
nmap -sScommand. - Used by privileged users.
- Usually have a size less than or equal to 1024 bytes as the request is not finished and it doesn't expect to receive data.
| Open TCP Port | Close TCP Port |
| • SYN –> • <– SYN,ACK • RST–> | • SYN –> • <– RST,ACK |
UDP Scans
UDP Scan in a nutshell:
- Doesn't require a handshake process
- No prompt for open ports
- ICMP error message for close ports
- Usually conducted with
nmap -sUcommand.
| Open UDP Port | Closed UDP Port |
| • UDP packet –> | • UDP packet –> • ICMP Type 3, Code 3 message. (Destination unreachable, port unreachable) |
ARP analysis in a nutshell:
- Works on the local network
- Enables the communication between MAC addresses
- Not a secure protocol
- Not a routable protocol
- It doesn't have an authentication function
- Common patterns are request & response, announcement and gratuitous packets.
Before investigating the traffic, let's review some legitimate and suspicious ARP packets. The legitimate requests are similar to the shown picture: a broadcast request that asks if any of the available hosts use an IP address and a reply from the host that uses the particular IP address.
| Notes | Wireshark filter |
| Global search | • arp |
| "ARP" options for grabbing the low-hanging fruits: • Opcode 1: ARP requests. • Opcode 2: ARP responses. • Hunt: Arp scanning • Hunt: Possible ARP poisoning detection • Hunt: Possible ARP flooding from detection: | • arp.opcode == 1
• arp.opcode == 2
• arp.dst.hw_mac==00:00:00:00:00:00
• arp.duplicate-address-detected or arp.duplicate-address-frame
• ((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == target-mac-address) |
FLAGS
| Notes | Detection Notes | Findings |
| Possible IP address match. | 1 IP address announced from a MAC address. | • MAC: 00:0c:29:e2:18:b4 • IP: 192.168.1.25 |
| Possible ARP spoofing attempt. | 2 MAC addresses claimed the same IP address (192.168.1.1).The " 192.168.1.1" IP address is a possible gateway address. | • MAC1: 50:78:b3:f3:cd:f4 • MAC 2: 00:0c:29:e2:18:b4 |
| Possible ARP flooding attempt. | The MAC address that ends with "b4" claims to have a different/new IP address. | • MAC: 00:0c:29:e2:18:b4 • IP: 192.168.1.1 |
| Detection Notes | Findings |
| IP to MAC matches. | 3 IP to MAC address matches. |
| Attacker | The attacker created noise with ARP packets. |
| Router/gateway | Gateway address. |
| Victim | The attacker sniffed all traffic of the victim. |
DHCP Analysis
DHCP protocol, or Dynamic Host Configuration Protocol (DHCP), is the technology responsible for managing automatic IP address and required communication parameters assignment.
DHCP investigation in a nutshell:
| Notes | Wireshark Filter |
| Global search. | • dhcp or bootp |
| Filtering the proper DHCP packet options is vital to finding an event of interest. • "DHCP Request" packets contain the hostname information • "DHCP ACK" packets represent the accepted requests • "DHCP NAK" packets represent denied requests Due to the nature of the protocol, only "Option 53" ( request type) has predefined static values. You should filter the packet type first, and then you can filter the rest of the options by "applying as column" or use the advanced filters like "contains" and "matches". | • Request: dhcp.option.dhcp == 3
• ACK: dhcp.option.dhcp == 5
• NAK: dhcp.option.dhcp == 6 |
| "DHCP Request" options for grabbing the low-hanging fruits: • Option 12: Hostname. • Option 50: Requested IP address. • Option 51: Requested IP lease time. • Option 61: Client's MAC address. | • dhcp.option.hostname contains "keyword" |
| "DHCP ACK" options for grabbing the low-hanging fruits: • Option 15: Domain name. • Option 51: Assigned IP lease time. | • dhcp.option.domain_name contains "keyword" |
| "DHCP NAK" options for grabbing the low-hanging fruits: • Option 56: Message (rejection details/reason). | As the message could be unique according to the case/situation, It is suggested to read the message instead of filtering it. Thus, the analyst could create a more reliable hypothesis/result by understanding the event circumstances. |
NetBIOS (NBNS) Analysis
NetBIOS or Network Basic Input/Output System is the technology responsible for allowing applications on different hosts to communicate with each other.
NBNS investigation in a nutshell:
| Notes | Wireshark Filter |
| Global search. | • nbns |
| "NBNS" options for grabbing the low-hanging fruits: • Queries: Query details. • Query details could contain "name, Time to live (TTL) and IP address details" | • nbns.name contains "keyword" |
Kerberos Analysis
Kerberos is the default authentication service for Microsoft Windows domains. It is responsible for authenticating service requests between two or more computers over the untrusted network. The ultimate aim is to prove identity securely.
Kerberos investigation in a nutshell:
| Notes | Wireshark Filter |
| Global search. | • kerberos |
| User account search: • CNameString: The username. Note: Some packets could provide hostname information in this field. To avoid this confusion, filter the "$" value. The values end with "$" are hostnames, and the ones without it are user names. | • kerberos.CNameString contains "keyword"
• kerberos.CNameString and !(kerberos.CNameString contains "$" ) |
| "Kerberos" options for grabbing the low-hanging fruits: • pvno: Protocol version. • realm: Domain name for the generated ticket. • sname: Service and domain name for the generated ticket. • addresses: Client IP address and NetBIOS name. Note: the "addresses" information is only available in request packets. | • kerberos.pvno == 5
• kerberos.realm contains ".org"
• kerberos.SNameString == "krbtg" |
ICMP Analysis
Internet Control Message Protocol (ICMP) is designed for diagnosing and reporting network communication issues. It is highly used in error reporting and testing. As it is a trusted network layer protocol, sometimes it is used for denial of service (DoS) attacks; also, adversaries use it in data exfiltration and C2 tunnelling activities.
ICMP analysis in a nutshell:
Usually, ICMP tunnelling attacks are anomalies appearing/starting after a malware execution or vulnerability exploitation. As the ICMP packets can transfer an additional data payload, adversaries use this section to exfiltrate data and establish a C2 connection. It could be a TCP, HTTP or SSH data. As the ICMP protocols provide a great opportunity to carry extra data, it also has disadvantages. Most enterprise networks block custom packets or require administrator privileges to create custom ICMP packets.
A large volume of ICMP traffic or anomalous packet sizes are indicators of ICMP tunnelling. Still, the adversaries could create custom packets that match the regular ICMP packet size (64 bytes), so it is still cumbersome to detect these tunnelling activities. However, a security analyst should know the normal and the abnormal to spot the possible anomaly and escalate it for further analysis.
| Notes | Wireshark filters |
| Global search | • icmp |
| "ICMP" options for grabbing the low-hanging fruits: • Packet length. • ICMP destination addresses. • Encapsulated protocol signs in ICMP payload. | • data.len > 64 and icmp |
DNS Analysis
Domain Name System (DNS) is designed to translate/convert IP domain addresses to IP addresses. It is also known as a phonebook of the internet. As it is the essential part of web services, it is commonly used and trusted, and therefore often ignored. Due to that, adversaries use it in data exfiltration and C2 activities.
DNS analysis in a nutshell:
Similar to ICMP tunnels, DNS attacks are anomalies appearing/starting after a malware execution or vulnerability exploitation. Adversary creates (or already has) a domain address and configures it as a C2 channel. The malware or the commands executed after exploitation sends DNS queries to the C2 server. However, these queries are longer than default DNS queries and crafted for subdomain addresses. Unfortunately, these subdomain addresses are not actual addresses; they are encoded commands as shown below:
"encoded-commands.maliciousdomain.com"
When this query is routed to the C2 server, the server sends the actual malicious commands to the host. As the DNS queries are a natural part of the networking activity, these packets have the chance of not being detected by network perimeters. A security analyst should know how to investigate the DNS packet lengths and target addresses to spot these anomalies.
| Notes | Wireshark Filter |
| Global search | • dns |
| "DNS" options for grabbing the low-hanging fruits: • Query length. • Anomalous and non-regular names in DNS addresses. • Long DNS addresses with encoded subdomain addresses. • Known patterns like dnscat and dns2tcp. • Statistical analysis like the anomalous volume of DNS requests for a particular target. !mdns: Disable local link device queries. | • dns contains "dnscat"
• dns.qry.name.len > 15 and !mdns |
FTP Analysis
File Transfer Protocol (FTP) is designed to transfer files with ease, so it focuses on simplicity rather than security. As a result of this, using this protocol in unsecured environments could create security issues like:
- MITM attacks
- Credential stealing and unauthorised access
- Phishing
- Malware planting
- Data exfiltration
FTP analysis in a nutshell:
| Notes | Wireshark Filter |
| Global search | • ftp |
| "FTP" options for grabbing the low-hanging fruits: • x1x series: Information request responses. • x2x series: Connection messages. • x3x series: Authentication messages. Note: "200" means command successful. | — |
| "x1x" series options for grabbing the low-hanging fruits: • 211: System status. • 212: Directory status. • 213: File status | • ftp.response.code == 211 |
| "x2x" series options for grabbing the low-hanging fruits: • 220: Service ready. • 227: Entering passive mode. • 228: Long passive mode. • 229: Extended passive mode. | • ftp.response.code == 227 |
| "x3x" series options for grabbing the low-hanging fruits: • 230: User login. • 231: User logout. • 331: Valid username. • 430: Invalid username or password • 530: No login, invalid password. | • ftp.response.code == 230 |
| "FTP" commands for grabbing the low-hanging fruits: • USER: Username. • PASS: Password. • CWD: Current work directory. • LIST: List. | • ftp.request.command == "USER"
• ftp.request.command == "PASS"
• ftp.request.arg == "password" |
| Advanced usages examples for grabbing low-hanging fruits: • Bruteforce signal: List failed login attempts. • Bruteforce signal: List target username. • Password spray signal: List targets for a static password. | • ftp.response.code == 530
• (ftp.response.code == 530) and (ftp.response.arg contains "username")
• (ftp.request.command == "PASS" ) and (ftp.request.arg == "password") |
HTTP Analysis
Hypertext Transfer Protocol (HTTP) is a cleartext-based, request-response and client-server protocol. It is the standard type of network activity to request/serve web pages, and by default, it is not blocked by any network perimeter. As a result of being unencrypted and the backbone of web traffic, HTTP is one of the must-to-know protocols in traffic analysis. Following attacks could be detected with the help of HTTP analysis:
- Phishing pages
- Web attacks
- Data exfiltration
- Command and control traffic (C2)
HTTP analysis in a nutshell:
| Notes | Wireshark Filter |
| Global search Note: HTTP2 is a revision of the HTTP protocol for better performance and security. It supports binary data transfer and request&response multiplexing. | • http
• http2 |
| "HTTP Request Methods" for grabbing the low-hanging fruits: • GET • POST • Request: Listing all requests | • http.request.method == "GET"
• http.request.method == "POST"
• http.request |
| "HTTP Response Status Codes" for grabbing the low-hanging fruits: • 200 OK: Request successful. • 301 Moved Permanently: Resource is moved to a new URL/path (permanently). • 302 Moved Temporarily: Resource is moved to a new URL/path (temporarily). • 400 Bad Request: Server didn't understand the request. • 401 Unauthorised: URL needs authorisation (login, etc.). • 403 Forbidden: No access to the requested URL. • 404 Not Found: Server can't find the requested URL. • 405 Method Not Allowed: Used method is not suitable or blocked. • 408 Request Timeout: Request look longer than server wait time. • 500 Internal Server Error: Request not completed, unexpected error. • 503 Service Unavailable: Request not completed server or service is down. | • http.response.code == 200
• http.response.code == 401
• http.response.code == 403
• http.response.code == 404
• http.response.code == 405
• http.response.code == 503 |
| "HTTP Parameters" for grabbing the low-hanging fruits: • User agent: Browser and operating system identification to a web server application. • Request URI: Points the requested resource from the server. • Full *URI: Complete URI information. *URI: Uniform Resource Identifier. | • http.user_agent contains "nmap"
• http.request.uri contains "admin"
• http.request.full_uri contains "admin" |
| "HTTP Parameters" for grabbing the low-hanging fruits: • Server: Server service name. • Host: Hostname of the server • Connection: Connection status. • Line-based text data: Cleartext data provided by the server. • HTML Form URL Encoded: Web form information. | • http.server contains "apache"
• http.host contains "keyword"
• http.host == "keyword"
• http.connection == "Keep-Alive"
• data-text-lines contains "keyword" |
User Agent Analysis
As the adversaries use sophisticated technics to accomplish attacks, they try to leave traces similar to natural traffic through the known and trusted protocols. For a security analyst, it is important to spot the anomaly signs on the bits and pieces of the packets. The "user-agent" field is one of the great resources for spotting anomalies in HTTP traffic. In some cases, adversaries successfully modify the user-agent data, which could look super natural. A security analyst cannot rely only on the user-agent field to spot an anomaly. Never whitelist a user agent, even if it looks natural. User agent-based anomaly/threat detection/hunting is an additional data source to check and is useful when there is an obvious anomaly. If you are unsure about a value, you can conduct a web search to validate your findings with the default and normal user-agent info (example site).
User Agent analysis in a nutshell:
| Notes | Wireshark Filter |
| Global search. | • http.user_agent |
| Research outcomes for grabbing the low-hanging fruits: • Different user agent information from the same host in a short time notice. • Non-standard and custom user agent info. • Subtle spelling differences. ("Mozilla" is not the same as "Mozlilla" or "Mozlila") • Audit tools info like Nmap, Nikto, Wfuzz and sqlmap in the user agent field. • Payload data in the user agent field. | • (http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "Wfuzz") or (http.user_agent contains "Nikto") |
Decrypting HTTPS Traffic
When investigating web traffic, analysts often run across encrypted traffic. This is caused by using the Hypertext Transfer Protocol Secure (HTTPS) protocol for enhanced security against spoofing, sniffing and intercepting attacks. HTTPS uses TLS protocol to encrypt communications, so it is impossible to decrypt the traffic and view the transferred data without having the encryption/decryption key pairs. As this protocol provides a good level of security for transmitting sensitive data, attackers and malicious websites also use HTTPS. Therefore, a security analyst should know how to use key files to decrypt encrypted traffic and investigate the traffic activity.
The packets will appear in different colours as the HTTP traffic is encrypted. Also, protocol and info details (actual URL address and data returned from the server) will not be fully visible. The first image below shows the HTTP packets encrypted with the TLS protocol. The second and third images demonstrate filtering HTTP packets without using a key log file.
Additional information for HTTPS :
| Notes | Wireshark Filter |
| "HTTPS Parameters" for grabbing the low-hanging fruits: • Request: Listing all requests • TLS: Global TLS search • TLS Client Request • TLS Server response • Local Simple Service Discovery Protocol (SSDP) Note: SSDP is a network protocol that provides advertisement and discovery of network services. | • http.request
• tls
• tls.handshake.type == 1
• tls.handshake.type == 2
• ssdp |
Wireshark is a good tool for starting a network security investigation. However, it is not enough to stop the threats. A security analyst should have IDS/IPS knowledge and extended tool skills to detect and prevent anomalies and threats. As the attacks are getting more sophisticated consistently, the use of multiple tools and detection strategies becomes a requirement. The following rooms will help you step forward in network traffic analysis and anomaly/threat detection.
Leave a Reply