Some Wireshark links
Posted by jpluimers on 2017/04/24
I don’t use Wireshark enough to be fluent, so here are some links and quotes that proved to be useful for me:
- How do I view a raw HTTP request/response? – Wireshark Q&A: Right click one of the frames and select ‘Follow’, then ‘TCP stream’.
- Hyper_Text_Transfer_Protocol – The Wireshark Wiki: You cannot directly filter HTTP protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.
- These two are totally different beasts: CaptureFilters – The Wireshark Wiki and DisplayFilters – The Wireshark Wiki
- I used this DisplayFilter a while ago:
(ip.dst == 192.168.99.61 && ip.src == 192.168.99.38) || (ip.dst == 192.168.99.38 && ip.src == 192.168.99.61) && http
which seems equivalent to
(ip.addr == 192.168.99.61 && ip.src == 192.168.99.38) && http - For SOAPAction traffic (and the HTTP responses), I often start with:
http contains "SOAPAction:" || http contains "HTTP" - I used these CaptureFilters a while ago as well:
src 213.146.155.196 and tcp port 8500ether host MAC 00:21:AC:01:08:B1
- Display filters can become very complex.
- One of the things I needed was to filter on hex content. This is using the
frame containsclause will match any binary content in the frame (you can be more specific with for instance tcp containsor data contains (which uses the data dissector). Example:(frame contains 21:00 || frame contains 00:21) && tcp.len > 0 - Some examples: Top 10 Wireshark Filters (by Chris Greer)
- The matches operator works for RegEx matches on plain text:
data.data matches "\xa4.\xc3...\xb2" - MAC addresses need to have the : as separator (a – does not work), like in
eth.src == MAC 00:21:AC:01:08:B1
- One of the things I needed was to filter on hex content. This is using the
- I used this DisplayFilter a while ago:
- WIRESHARK – The Easy Tutorial – Filters
- I find the WireShark User’s Guid sections often a lot harder to read than the Wiki pages on the same topics, for instance the CaptureFilter Section and Build DisplayFilter Section.
- exporting payload data in binary file – Wireshark Q&A
- tcpdump: Re: tcpdump filter for HTTP GET
- which uses hex offsets explained at Wireshark · Wireshark-users: Re: [Wireshark-users] Hex Offset Needed
- Wireshark · String-Matching Capture Filter Generator is really really cool. It gets you
GETastcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420POSTastcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:1] = 0x20
- Capture file saving:
- capture files do not store everything.
- From the UI, you cannot save captures while capturing.
- You can setup capture options to save captures periodically.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment