Now and then, especially when you expect less, the network crashes or encounter an issue and then you had to troubleshoot. Sometime the problem is right there, you can see it and it’s easy to fix, but in other cases you’ll have to put an eye in the packets that are traveling through it and search deeper for the solution. When it comes to network sniffing or packet capturing or whatever you want to call it, I believe that the name Wireshark (formerly Ethereal) ring a bell in your head.
Wireshark is one of the world’s foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Some features of Wireshark:
– Deep inspection of hundreds of protocols, with more being added all the time
– Live capture and offline analysis
– Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
– Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
– Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
– Capture files compressed with gzip can be decompressed on the fly
– Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
– Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Wireshark is extremely useful when it comes to network troubleshooting as it capture the packets and you can have a detail look into them checking if everything is OK in parameters, message, format and so on. The problem is that if you capture the packets traveling through a backbone router you will end having huge file ( yes, even up to 1G if you capture long enough) and a lot packets details in it. From this tons of information maybe you are interested in only a minor part like BGP traffic or a certain IP source and destination. Here is the part where Wireshark filters come into play.
There are 2 type of Wireshark filters:
– DISPLAY FILTERS – after you capture a lot of information, they help you to visualize only the packets that you are interested in
– CAPTURE FILTERS – from the beginning you know what is the interest for you and capture only those packets
I would recommed to use the Capture filters, when you know what are you looking for and you run the capture for more than couple of hours in a heavy traffic environment. This will help you stay in a reasonable amount on information being captured and file size.
If you run the packet capture for less time, like one or two hours, and you are not very sure what are you looking for, then I recommend to capture all the traffic and then use Display filters to visualize only the information that you are searching for.
For today I put together a list with the most useful Wireshark display filters. I compiled this list based on my personal experience and on my friends and colleagues advices. If you think that something is missing, or you are using a Display filter that might be useful for others please feel free to add it to a Comment to this topic and I will update the list. In one of the future posts I will show you how to capture the traffic and apply some of this filters.
DISPLAY FILTER | EXPLANATION | EXAMPLE |
eth.addr | source or destination mac-address | eth.addr == 00:1a:6b:ce:fc:bb |
eth.src | source mac-address | eth.src == 00:1a:6b:ce:fc:bb |
eth.dst | destination mac-address | eth.dst == 00:1a:6b:ce:fc:bb |
arp.dst.hw_mac | target mac-address | arp.dst.hw_mac == 00:1a:6b:ce:fc:bb |
arp.dst.proto_ipv4 | target IPv4 address | arp.dst.proto_ipv4 == 10.10.10.10 |
arp.src.hw_mac | sender mac-address | arp.src.hw_mac == 00:1a:6b:ce:fc:bb |
arp.src.proto_ipv4 | sender IPv4 address | arp.src.proto_ipv4 == 10.10.10.10 |
vlan.id | vlan ID | vlan.id == 16 |
ip.addr | source or destination IPv4 address | ip.addr == 10.10.10.10 |
ip.dst | destination IPv4 address | ip.addr == 10.10.10.10 |
ip.src | source IPv4 address | ip.src == 10.10.10.10 |
ip.proto | IP protocol (decimal) | ip.proto == 1 |
ipv6.addr | source or destination IPv6 address | ipv6.addr == 2001::5 |
ipv6.src | source IPv6 address | ipv6.addr == 2001::5 |
ipv6.dst | destination IPv6 address | ipv6.dst == 2001::5 |
tcp.port | source or destination TCP port | tcp.port == 20 |
tcp.dstport | destination TCP port | tcp.dstport == 80 |
tcp.srcport | source TCP port | tcp.srcport == 60234 |
udp.port | source or destination UDP port | udp.port == 513 |
udp.dstport | destination UDP port | udp.dstport == 513 |
udp.srcport | source UDP port | udp.srcport == 40000 |
fr.dlci | Frame-Relay DLCI number | fr.dlci == 112 |
icmp.type | ICMP type code (decimal) | icmp.type == 8 |
vtp.vlan_info.vlan_name | VLAN name | vtp.vlan_info.vlan_name == TEST |
bgp.originator_id | BGP id (IPv4 address) | bgp.originator_id == 192.168.10.15 |
bgp.next_hop | BGP Next Hop (IPv4 address) | bgp.next_hop == 192.168.10.15 |
rip.ip | RIP IPv4 address | rip.ip == 200.0.2.0 |
ospf.advrouter | OSPF advertising router ID | ospf.advrouter == 192.168.170.8 |
eigrp.as | EIGRP autonomous system number | eigrp.as == 100 |
hsrp.virt_ip | HSRP virtual IP address | hsrp.virt_ip == 192.168.23.250 |
vrrp.ip_addr | VRRP virtual IP address | vrrp.ip_addr == 192.168.23.250 |
zebra.dest4 | ZEBRA destination IPv4 address | zebra.dest4 == 10.10.10.10 |
wlan.addr | source or destination MAC address | wlan.addr == 00:1a:6b:ce:fc:bb |
wlan.sa | source MAC address | wlan.sa == 00:1a:6b:ce:fc:bb |
wlan.da | destination MAC address | wlan.da == 00:1a:6b:ce:fc:bb |
Materials that helped me for this post:
http://packetlife.net/static/cheatsheets/wireshark-display-filters.pdf – thanks Jeremy Stretch
http://www.wireshark.org/docs/dfref/ – here you can find the full list of filters – thanks developers of Wireshark
Do you have an example of a filter that shows only DNS server addresses being used by clients on the LAN?
Thank you!
If you type “dns” (without quotes) in the Filter field of Wireshark, do you obtain what you want? In this way you can see only the DNS traffic that it’s flowing from the LAN interface.
If this isn’t what you intended, please add some more details to your request.
Good luck!
Very useful, thanks!
I need to filter and analyze IP packets on port 110. I used the filter commend tcp.port == 110 but I got nothing.
Port 110 is used for POP3, but I don’t know how to get the “POP3 traffic” flowing.
Thank you!
for pop3 u can use outlook express but it's only for SMTP if I have right I don't know if I have help something but try
I need to filter and analyze IP packets on port 110. I used the filter commend tcp.port == 110 but I got nothing.
Port 110 is used for POP3, but I don’t know how to get the “POP3 traffic” flowing.
Thank you!
Hi Adrian
Just use capture filer -> port 110
That’s it
Hi I have a capture file and i would like to know the MAC address of 192.168.1.13 in that capture file. How do i find out
Hello Suresh,
You can find the MAC address associated with 192.168.1.13 only if you did capture the file on the host with that IP address or on the next L3 hop (the gateway of 192.168.1.13).
The IP communication taking place at Layer 3 and it is end-to-end, so you can see in a captured file the source and destination. The Layer 2 communication is hop-to-hop, so the MAC address which you can see (like DST MAC in Wireshark) is actually the next L2 hop where the information is send and not the real MAC address of the IP address which is source or destination (depending on the flow direction).
HTH,
Calin