Tuesday, May 3, 2011

wireshark Filters

I was messing around with wireshark today.You have two kinds of filters:
Display filters and capture filters. Capture filters are especially important if you don't have alot of space and post processing 'power' on your laptop/pc.

Display Filters samples:
Only display packets sent to or received from 10.10.10.10
Filter 1: ip.addr == 10.10.10.10
Filter 2: ip.src == 10.10.10.10 or ip.dst == 10.10.10.10
Only display packets sent to 10.10.10.10
Filter: ip.dst == 10.10.10.10
Only display packets sent from 10.10.10.10
ip.src == 10.10.10.10
Only display TCP port 53 packets 
tcp.port eq 53
Only display TCP port 110 or UDP port 53 packets
tcp.port eq 110 or udp.port eq 53
Display packets from every IP apart from 10.10.10.10
ip.addr != 10.10.10.10
Only display or DNS traffic 
arp or dns
To see POP passwords 
pop.request.command == PASS
To display FTP commands including USER and PASSWORD:
ftp.request.command
For displaying ALL frames with the word PASS in them:
frame contains 50:41:53:53

For the capture filters, the same sort of format is used. Please follow this link on how to go about some of them....a good third-world-networker needs to know his/her way around wireshark or whatever you use for packet capture.
Posted by JGitau at Tuesday, May 03, 2011
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)