Using Wireshark and Tshark display filters for troubleshooting

Display filters can be used to analyze different types of network traffic. In this Traffic Talk tip, Richard Bejtlich explains how to use Wireshark and Tshark display filters for security and network troubleshooting.

Welcome to the second installment of Traffic Talk, a regular SearchNetworkingChannel.com series for network solution providers and consultants who troubleshoot business networks. In these articles we examine a variety of open source network analysis tools. In this edition we explore Wireshark and Tshark display filters. Display filters are one of the most powerful, and sometimes misunderstood, features of the amazing Wireshark open...

source protocol analyzer. After reading this tip you'll understand how to use display filters for security and network troubleshooting.

All examples in this article use Tshark, the command line version of Wireshark.

 


$ tshark -v
TShark 1.0.0
Copyright 1998-2008 Gerald Combs and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.16.1, with libpcap 0.9.8, with libz 1.2.3.3, with POSIX
capabilities (Linux), with libpcre 7.4, without SMI, with ADNS, with Lua 5.1,
with GnuTLS 2.0.4, with Gcrypt 1.2.4, with MIT Kerberos.
Running on Linux 2.6.24-19-generic, with libpcap version 0.9.8.
Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7).

Any display filter used in Tshark can be applied in the filter window of Wireshark. Therefore, the remainder of this article refers exclusively to Tshark. You can, however, use display filters in Wireshark.

Before examining display filters, it's important to understand the two types of filters Tshark supports. First, Tshark provides capture filters which use Berkeley Packet Filter (BPF) syntax common to Tcpdump. Second, Tshark provides its own unique display filters. Both filter types support primitives or English language shortcuts, which make it easier to write filters. Tshark display filters are much richer, however.

An example of a capture filter appears next:

# tshark -i wlan0 -w /tmp/sample.pcap host 192.168.2.103

For comparison's sake, the following is the same filter applied to Tcpdump. Notice when using Tcpdump we should specify the snaplen explicitly. By default Tshark captures the entire snaplen.

# tcpdump -i wlan0 -s 1514 -w /tmp/sample2.pcap host 192.168.2.103

A Tshark display filter could also be applied at capture time. Most people only use Tshark display filters when reviewing saved traces. The following shows how to apply a display filter while capturing traffic. The key is the -R switch.

# tshark -n -i wlan0 -w /tmp/sample3.pcap -R 'ip.addr == 192.168.2.103'

The amazing aspect of display filters is that they can look as deeply into traffic as Wireshark can. Consider trying to detect when users are making DNS queries for anything containing "bejtlich" in the domain name:

# tshark -n -i wlan0 -R 'dns.qry.name contains "bejtlich"'
Running as user "root" and group "root". This could be dangerous.
Capturing on wlan0
0.000000 192.168.2.103 -> 172.16.2.1 DNS Standard query A www.bejtlich.net
0.001607 172.16.2.1 -> 192.168.2.103 DNS Standard query response A 209.40.96.212
0.002012 192.168.2.103 -> 172.16.2.1 DNS Standard query AAAA www.bejtlich.net
0.052483 172.16.2.1 -> 192.168.2.103 DNS Standard query response
0.052889 192.168.2.103 -> 172.16.2.1 DNS Standard query MX www.bejtlich.net
0.155872 172.16.2.1 -> 192.168.2.103 DNS Standard query response

Congratulations -- you just invented a primitive intrusion detection system! Granted, this method doesn't account for fragmentation (at the IP, TCP, SMB, DCE-RPC, etc., layers) and a bevy of other issues, but it's a fast way to start looking for interesting traffic on your customer's network.

More traffic talk

DNS troubleshooting and analysis

Learn how to sniff network traffic in this Wireshark tutorial

Here's an example of looking for the value "ftp" in any File Transfer Protocol command channel argument:

$ tshark -n -r /home/richard/sample.pcap -R 'ftp.request.arg == "ftp"'
12 4.904397 192.168.2.103 -> 204.152.184.73 FTP Request: USER ftp
16 5.584912 192.168.2.103 -> 204.152.184.73 FTP Request: PASS ftp
54 73.208605 192.168.2.103 -> 62.243.72.50 FTP Request: USER ftp
57 74.128702 192.168.2.103 -> 62.243.72.50 FTP Request: PASS ftp

In the following we capture live traffic to the screen and the disk when the packet contains an HTTP user agent, but that user agent doesn't contain Firefox. Apparently someone's using Lynx here!

# tshark -i wlan0 -S -w /tmp/sample5.pcap -x -R 'http.user_agent and !(http.user_agent contains "Firefox")'
Running as user "root" and group "root". This could be dangerous.
Capturing on wlan0
0.053215 192.168.2.103 -> 209.40.96.212 HTTP GET / HTTP/1.0

0000 00 13 10 65 2f ab 00 13 02 4c 30 2d 08 00 45 00 ...e/....L0-..E.
0010 01 1a 08 74 40 00 40 06 3c 5e c0 a8 02 67 d1 28 ...t@.@.<^...g.(
0020 60 d4 85 73 00 50 52 f4 62 08 54 31 50 0b 80 18 `..s.PR.b.T1P...
0030 00 2e 64 4e 00 00 01 01 08 0a 00 2d 6a 82 a0 37 ..dN.......-j..7
0040 c9 78 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 .xGET / HTTP/1.0
0050 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 74 61 6f 73 ..Host: www.taos
0060 65 63 75 72 69 74 79 2e 63 6f 6d 0d 0a 41 63 63 ecurity.com..Acc
0070 65 70 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 20 ept: text/html,
0080 74 65 78 74 2f 70 6c 61 69 6e 2c 20 74 65 78 74 text/plain, text
0090 2f 63 73 73 2c 20 74 65 78 74 2f 73 67 6d 6c 2c /css, text/sgml,
00a0 20 2a 2f 2a 3b 71 3d 30 2e 30 31 0d 0a 41 63 63 */*;q=0.01..Acc
00b0 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a ept-Encoding: gz
00c0 69 70 2c 20 62 7a 69 70 32 0d 0a 41 63 63 65 70 ip, bzip2..Accep
00d0 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 0d 0a t-Language: en..
00e0 55 73 65 72 2d 41 67 65 6e 74 3a 20 4c 79 6e 78 User-Agent: Lynx
00f0 2f 32 2e 38 2e 36 72 65 6c 2e 34 20 6c 69 62 77 /2.8.6rel.4 libw
0100 77 77 2d 46 4d 2f 32 2e 31 34 20 53 53 4c 2d 4d ww-FM/2.14 SSL-M
0110 4d 2f 31 2e 34 2e 31 20 47 4e 55 54 4c 53 2f 32 M/1.4.1 GNUTLS/2
0120 2e 30 2e 34 0d 0a 0d 0a .0.4....

In a similar manner, maybe we want to see all HTTP Uniform Resource Identifiers that contain the term "samba"?

Wireshark display filter references
Designing Capture Filters for Ethereal/Wireshark by Mike Horn

Wireshark Capture Filters

Wireshark Display Filters

Wireshark Display Filter Reference

Let's say we wanted to monitor Simple Mail Transfer Protocol (SMTP) for any commands. We could use a simple display filter like this with Tshark when reading a saved trace:

$ tshark -n -r /tmp/sample6.pcap -R 'smtp.req.command'

6 2.510204 192.168.2.103 -> 128.103.208.29 SMTP Command: helo test
10 3.812430 192.168.2.103 -> 128.103.208.29 SMTP Command: quit

Consider what it might look like if we wanted to do something similar with a capture filter in BPF syntax:

$ tcpdump -n -r /tmp/sample6.pcap 'port 25 and (tcp[12] & 0xf0 > 0x50 or tcp[20:4] = 0x48454C4F or tcp[20:4] = 0x4D41494C or tcp[20:4] = 0x52435054 or tcp[20:4] = 0x44415441 or tcp[20:4] = 0x52534554 or tcp[20:4] = 0x53454E44 or tcp[20:4] = 0x534F4D4C or tcp[20:4] = 0x53414D4C or tcp[20:4] = 0x56524659 or tcp[20:4] = 0x4558504E or tcp[20:4] = 0x4E4F4F50 or tcp[20:4] = 0x51554954 or tcp [20:4] = 0x5455524E)'

To create display filters, I recommend reviewing the references in the sidebar. I usually use Wireshark's "Expression" menu for the protocol I'm analyzing, and I test the filter against traffic I know has the content of interest.

About the author
Richard Bejtlich is the founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.


This was first published in October 2008

Dig deeper on Open Source Network Tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close