Using Wireshark and Tshark display filters for troubleshooting

Welcome to the second installment of Traffic Talk, a regular SearchNetworkingChannel.com series for network solution providers and consultants who troubleshoot business networks. In these articles we examine a variety of open source network analysis tools. In this edition we explore Wireshark and

    Requires Free Membership to View

Tshark display filters. Display filters are one of the most powerful, and sometimes misunderstood, features of the amazing Wireshark open source protocol analyzer. After reading this tip you'll understand how to use display filters for security and network troubleshooting.

All examples in this article use Tshark, the command line version of Wireshark.


$ tshark -v
TShark 1.0.0
Copyright 1998-2008 Gerald Combs and contributors.
This is free software; see the source for copying conditions. There is NO
Compiled with GLib 2.16.1, with libpcap 0.9.8, with libz, with POSIX
capabilities (Linux), with libpcre 7.4, without SMI, with ADNS, with Lua 5.1,
with GnuTLS 2.0.4, with Gcrypt 1.2.4, with MIT Kerberos.
Running on Linux 2.6.24-19-generic, with libpcap version 0.9.8.
Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7).

Any display filter used in Tshark can be applied in the filter window of Wireshark. Therefore, the remainder of this article refers exclusively to Tshark. You can, however, use display filters in Wireshark.

Before examining display filters, it's important to understand the two types of filters Tshark supports. First, Tshark provides capture filters which use Berkeley Packet Filter (BPF) syntax common to Tcpdump. Second, Tshark provides its own unique display filters. Both filter types support primitives or English language shortcuts, which make it easier to write filters. Tshark display filters are much richer, however.

An example of a capture filter appears next:

# tshark -i wlan0 -w /tmp/sample.pcap host

For comparison's sake, the following is the same filter applied to Tcpdump. Notice when using Tcpdump we should specify the snaplen explicitly. By default Tshark captures the entire snaplen.

# tcpdump -i wlan0 -s 1514 -w /tmp/sample2.pcap host

A Tshark display filter could also be applied at capture time. Most people only use Tshark display filters when reviewing saved traces. The following shows how to apply a display filter while capturing traffic. The key is the -R switch.

# tshark -n -i wlan0 -w /tmp/sample3.pcap -R 'ip.addr =='

The amazing aspect of display filters is that they can look as deeply into traffic as Wireshark can. Consider trying to detect when users are making DNS queries for anything containing "bejtlich" in the domain name:

# tshark -n -i wlan0 -R 'dns.qry.name contains "bejtlich"'
Running as user "root" and group "root". This could be dangerous.
Capturing on wlan0
0.000000 -> DNS Standard query A www.bejtlich.net
0.001607 -> DNS Standard query response A
0.002012 -> DNS Standard query AAAA www.bejtlich.net
0.052483 -> DNS Standard query response
0.052889 -> DNS Standard query MX www.bejtlich.net
0.155872 -> DNS Standard query response

Congratulations -- you just invented a primitive intrusion detection system! Granted, this method doesn't account for fragmentation (at the IP, TCP, SMB, DCE-RPC, etc., layers) and a bevy of other issues, but it's a fast way to start looking for interesting traffic on your customer's network.

More traffic talk

DNS troubleshooting and analysis

Learn how to sniff network traffic in this Wireshark tutorial

Here's an example of looking for the value "ftp" in any File Transfer Protocol command channel argument:

$ tshark -n -r /home/richard/sample.pcap -R 'ftp.request.arg == "ftp"'
12 4.904397 -> FTP Request: USER ftp
16 5.584912 -> FTP Request: PASS ftp
54 73.208605 -> FTP Request: USER ftp
57 74.128702 -> FTP Request: PASS ftp

In the following we capture live traffic to the screen and the disk when the packet contains an HTTP user agent, but that user agent doesn't contain Firefox. Apparently someone's using Lynx here!

# tshark -i wlan0 -S -w /tmp/sample5.pcap -x -R 'http.user_agent and !(http.user_agent contains "Firefox")'
Running as user "root" and group "root". This could be dangerous.
Capturing on wlan0
0.053215 -> HTTP GET / HTTP/1.0

0000 00 13 10 65 2f ab 00 13 02 4c 30 2d 08 00 45 00 ...e/....L0-..E.
0010 01 1a 08 74 40 00 40 06 3c 5e c0 a8 02 67 d1 28 ...t@.@.<^...g.(
0020 60 d4 85 73 00 50 52 f4 62 08 54 31 50 0b 80 18 `..s.PR.b.T1P...
0030 00 2e 64 4e 00 00 01 01 08 0a 00 2d 6a 82 a0 37 ..dN.......-j..7
0040 c9 78 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 .xGET / HTTP/1.0
0050 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 74 61 6f 73 ..Host: www.taos
0060 65 63 75 72 69 74 79 2e 63 6f 6d 0d 0a 41 63 63 ecurity.com..Acc
0070 65 70 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 20 ept: text/html,
0080 74 65 78 74 2f 70 6c 61 69 6e 2c 20 74 65 78 74 text/plain, text
0090 2f 63 73 73 2c 20 74 65 78 74 2f 73 67 6d 6c 2c /css, text/sgml,
00a0 20 2a 2f 2a 3b 71 3d 30 2e 30 31 0d 0a 41 63 63 */*;q=0.01..Acc
00b0 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a ept-Encoding: gz
00c0 69 70 2c 20 62 7a 69 70 32 0d 0a 41 63 63 65 70 ip, bzip2..Accep
00d0 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 0d 0a t-Language: en..
00e0 55 73 65 72 2d 41 67 65 6e 74 3a 20 4c 79 6e 78 User-Agent: Lynx
00f0 2f 32 2e 38 2e 36 72 65 6c 2e 34 20 6c 69 62 77 /2.8.6rel.4 libw
0100 77 77 2d 46 4d 2f 32 2e 31 34 20 53 53 4c 2d 4d ww-FM/2.14 SSL-M
0110 4d 2f 31 2e 34 2e 31 20 47 4e 55 54 4c 53 2f 32 M/1.4.1 GNUTLS/2
0120 2e 30 2e 34 0d 0a 0d 0a .0.4....

In a similar manner, maybe we want to see all HTTP Uniform Resource Identifiers that contain the term "samba"?

Wireshark display filter references
Designing Capture Filters for Ethereal/Wireshark by Mike Horn

Wireshark Capture Filters

Wireshark Display Filters

Wireshark Display Filter Reference

Let's say we wanted to monitor Simple Mail Transfer Protocol (SMTP) for any commands. We could use a simple display filter like this with Tshark when reading a saved trace:

$ tshark -n -r /tmp/sample6.pcap -R 'smtp.req.command'

6 2.510204 -> SMTP Command: helo test
10 3.812430 -> SMTP Command: quit

Consider what it might look like if we wanted to do something similar with a capture filter in BPF syntax:

$ tcpdump -n -r /tmp/sample6.pcap 'port 25 and (tcp[12] & 0xf0 > 0x50 or tcp[20:4] = 0x48454C4F or tcp[20:4] = 0x4D41494C or tcp[20:4] = 0x52435054 or tcp[20:4] = 0x44415441 or tcp[20:4] = 0x52534554 or tcp[20:4] = 0x53454E44 or tcp[20:4] = 0x534F4D4C or tcp[20:4] = 0x53414D4C or tcp[20:4] = 0x56524659 or tcp[20:4] = 0x4558504E or tcp[20:4] = 0x4E4F4F50 or tcp[20:4] = 0x51554954 or tcp [20:4] = 0x5455524E)'

To create display filters, I recommend reviewing the references in the sidebar. I usually use Wireshark's "Expression" menu for the protocol I'm analyzing, and I test the filter against traffic I know has the content of interest.

About the author
Richard Bejtlich is the founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

This was first published in October 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.