Difference between revisions of "Wireshark: Filter TCP/IP Packet"
Onnowpurbo (talk | contribs) (New page: Filtering TCP/IP packets with Wireshark February 2, 2011 Leave a Comment Lately I’ve been involved in a project that required the creation of a TCP/IP server. This server will be hit b...) |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
Filtering TCP/IP packets with Wireshark | Filtering TCP/IP packets with Wireshark | ||
| − | |||
| − | |||
Lately I’ve been involved in a project that required the creation of a TCP/IP server. This server will be hit by large numbers of embedded devices. I created unit tests to test the server. But when the time came to integrate with the embedded device (which has been produced by a third party), of course there were still issues arising. You can try to log everything in your server, but using a packet sniffer like Wireshark is much more effective in finding the reasons why certain issues arise. | Lately I’ve been involved in a project that required the creation of a TCP/IP server. This server will be hit by large numbers of embedded devices. I created unit tests to test the server. But when the time came to integrate with the embedded device (which has been produced by a third party), of course there were still issues arising. You can try to log everything in your server, but using a packet sniffer like Wireshark is much more effective in finding the reasons why certain issues arise. | ||
| Line 11: | Line 9: | ||
Suppose your server is running on port 8080. Displaying only the traffic that is going back and forth on that port is as simple as setting a filter: | Suppose your server is running on port 8080. Displaying only the traffic that is going back and forth on that port is as simple as setting a filter: | ||
| − | tcp.port == 8080 | + | tcp.port == 8080 |
Now suppose you only want to see the data that is being sent from the embedded devices to your server. | Now suppose you only want to see the data that is being sent from the embedded devices to your server. | ||
| − | tcp.destport = 8080 | + | tcp.destport = 8080 |
Should you want to see the data that is being sent from the server to the embedded device: | Should you want to see the data that is being sent from the server to the embedded device: | ||
| − | tcp.srcport = 8080 | + | tcp.srcport = 8080 |
So tcp.port == 8080 equals to tcp.srcport == 8080 || tcp.dstport == 8080 | So tcp.port == 8080 equals to tcp.srcport == 8080 || tcp.dstport == 8080 | ||
| Line 25: | Line 23: | ||
Now what if we wanted to know only about data coming from the ip adress of one embedded device (assuming a static ip address over time): | Now what if we wanted to know only about data coming from the ip adress of one embedded device (assuming a static ip address over time): | ||
| − | ip.src == 80.80.80.80 | + | ip.src == 80.80.80.80 |
Just as with the port you can filter only packets coming from any embedded device to the server: | Just as with the port you can filter only packets coming from any embedded device to the server: | ||
| − | ip.dst == 80.80.80.80 | + | ip.dst == 80.80.80.80 |
and if you’re indifferent about the direction: | and if you’re indifferent about the direction: | ||
| − | ip.addr == 80.80.80.80 | + | ip.addr == 80.80.80.80 |
There will be a lot of ceremony packets going back and forth (opening/closing connections, etc…). Usually you’re especially interested in the packets containing data. How to display only the packets containing data: | There will be a lot of ceremony packets going back and forth (opening/closing connections, etc…). Usually you’re especially interested in the packets containing data. How to display only the packets containing data: | ||
| − | tcp.len > 0 | + | tcp.len > 0 |
How do I display only packets containing a certain byte in the payload: | How do I display only packets containing a certain byte in the payload: | ||
| − | data[0] == A0 | + | data[0] == A0 |
It is common to log certain events in a server using for example log4net. These events will have a timestamp based on the datetime of the server. As Wireshark by default shows relative times this doesn’t match very well. See View->Time Display Format. There you will find Date and Time of Day. After selecting this, the date and time will be shown in the Frame part of the packet. Now suppose you would want to filter on a certain timestamp you could use, which would show all packets sent and received in a specific timespan (allowing you to match this with the events logged in the server): | It is common to log certain events in a server using for example log4net. These events will have a timestamp based on the datetime of the server. As Wireshark by default shows relative times this doesn’t match very well. See View->Time Display Format. There you will find Date and Time of Day. After selecting this, the date and time will be shown in the Frame part of the packet. Now suppose you would want to filter on a certain timestamp you could use, which would show all packets sent and received in a specific timespan (allowing you to match this with the events logged in the server): | ||
| − | frame.time >= 'Feb 1, 2011 11:00:00' && frame.time < 'Feb 1, 2011 11:05:00' | + | frame.time >= 'Feb 1, 2011 11:00:00' && frame.time < 'Feb 1, 2011 11:05:00' |
Combining this delivers a powerful way to find information. | Combining this delivers a powerful way to find information. | ||
| Line 51: | Line 49: | ||
For example, show all packets coming from the embedded device connecting on port 8080, between 11:00 and 11:05 February 1st 2011, coming from ip adress 80.80.80.80, containing data, where the data is only of a certain type: | For example, show all packets coming from the embedded device connecting on port 8080, between 11:00 and 11:05 February 1st 2011, coming from ip adress 80.80.80.80, containing data, where the data is only of a certain type: | ||
| − | tcp.destport == 8080 && | + | tcp.destport == 8080 && |
| − | frame.time >= 'Feb 1, 2011 11:00:00' && | + | frame.time >= 'Feb 1, 2011 11:00:00' && |
| − | frame.time < 'Feb 1, 2011 11:05:00' && | + | frame.time < 'Feb 1, 2011 11:05:00' && |
| − | ip.src == 80.80.80.80 && | + | ip.src == 80.80.80.80 && |
| − | tcp.len > 0 && | + | tcp.len > 0 && |
| − | data[0] == A0 | + | data[0] == A0 |
Finally, you can export the data of the displayed packets and analyse them further with the parser belonging to your server. | Finally, you can export the data of the displayed packets and analyse them further with the parser belonging to your server. | ||
frame.time >= ‘Feb 1, 2011 11:00:00′ && frame.time < 'Feb 1, 2011 11:05:00' | frame.time >= ‘Feb 1, 2011 11:00:00′ && frame.time < 'Feb 1, 2011 11:05:00' | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
==Referensi== | ==Referensi== | ||
* http://www.weseman.net/blog/tools/wireshark-2/filtering-tcpip-packets-with-wireshark/ | * http://www.weseman.net/blog/tools/wireshark-2/filtering-tcpip-packets-with-wireshark/ | ||
Revision as of 09:57, 18 April 2017
Filtering TCP/IP packets with Wireshark
Lately I’ve been involved in a project that required the creation of a TCP/IP server. This server will be hit by large numbers of embedded devices. I created unit tests to test the server. But when the time came to integrate with the embedded device (which has been produced by a third party), of course there were still issues arising. You can try to log everything in your server, but using a packet sniffer like Wireshark is much more effective in finding the reasons why certain issues arise.
Although Wireshark is pretty easy to use, at first glance the interface looks daunting. Here are a few tricks that got me up and running with Wireshark.
First: how to start capturing? Capture->Interfaces. In this dialog click ‘Start’ on the interface that displays the external ip address your server is running on. You will see packets pouring in after this. Now you can set up a filter to display only the packets you’re interested in.
Suppose your server is running on port 8080. Displaying only the traffic that is going back and forth on that port is as simple as setting a filter:
tcp.port == 8080
Now suppose you only want to see the data that is being sent from the embedded devices to your server.
tcp.destport = 8080
Should you want to see the data that is being sent from the server to the embedded device:
tcp.srcport = 8080
So tcp.port == 8080 equals to tcp.srcport == 8080 || tcp.dstport == 8080
Now what if we wanted to know only about data coming from the ip adress of one embedded device (assuming a static ip address over time):
ip.src == 80.80.80.80
Just as with the port you can filter only packets coming from any embedded device to the server:
ip.dst == 80.80.80.80
and if you’re indifferent about the direction:
ip.addr == 80.80.80.80
There will be a lot of ceremony packets going back and forth (opening/closing connections, etc…). Usually you’re especially interested in the packets containing data. How to display only the packets containing data:
tcp.len > 0
How do I display only packets containing a certain byte in the payload:
data[0] == A0
It is common to log certain events in a server using for example log4net. These events will have a timestamp based on the datetime of the server. As Wireshark by default shows relative times this doesn’t match very well. See View->Time Display Format. There you will find Date and Time of Day. After selecting this, the date and time will be shown in the Frame part of the packet. Now suppose you would want to filter on a certain timestamp you could use, which would show all packets sent and received in a specific timespan (allowing you to match this with the events logged in the server):
frame.time >= 'Feb 1, 2011 11:00:00' && frame.time < 'Feb 1, 2011 11:05:00'
Combining this delivers a powerful way to find information.
For example, show all packets coming from the embedded device connecting on port 8080, between 11:00 and 11:05 February 1st 2011, coming from ip adress 80.80.80.80, containing data, where the data is only of a certain type:
tcp.destport == 8080 && frame.time >= 'Feb 1, 2011 11:00:00' && frame.time < 'Feb 1, 2011 11:05:00' && ip.src == 80.80.80.80 && tcp.len > 0 && data[0] == A0
Finally, you can export the data of the displayed packets and analyse them further with the parser belonging to your server. frame.time >= ‘Feb 1, 2011 11:00:00′ && frame.time < 'Feb 1, 2011 11:05:00'