PACKET FILTERING

Wireshark • Go Deep | Display Filter Reference: IndexWireshark

wireshark's filtering engine helps analysts narrow down the traffic & focus on the event of interest. the two types of filtering approaches used by wireshark are: capture filters and display filters. capture filters are used when capturing specific packets of interest (think BPF). display filtering on the other hand is used when viewing packets valid for the used filter.

METHOD 1: DISPLAY FILTERING - BASIC

#method 1: 
WireShark > File > Open > {packetCapture.pcapng}
WireShark > Packet List > {select pertinent packet}
WireShark > Packet Details > right-click data type > Apply as Filter > Selected

 * once the filter is applied, wireshark will generate the required filter query
    - this method doesn't require the analyst to memorize filtering queries, but it
      only filters on one value and doesn't apply to linked packets

METHOD 2: DISPLAY FILTERING - LINKED PACKETS

#method 2: 
WireShark > File > Open > {packetCapture.pcapng}
WireShark > Packet List > {select pertinent packet} > right-click data type > Conversation Filter > {TCP...}

 * wireshark will generate all the required filter query including linked packets

METHOD 3: DISPLAY FILTERING - FOLLOWING STREAMS

this method will reconstruct streams IOT view the raw traffic as it is presented at the application level. this helps analysts recreate the application-level data to understand the event of interest. viewing the unencrypted protocol data such as usernames, passwords, etc is possible with this method

#method 3: 
WireShark > File > Open > {packetCapture.pcapng}
WireShark > Packet List > right-click pertinent packet > Follow > {streamType}

 * packets originating from the server are highlighted in BLUE
 * packets originating from the client are highlighted in RED

PreviousBOOKMARKING FILTERS NextOPERATORS & FUNCTIONS

Last updated 5 months ago