Wireshark is a powerful network analysis tool for network professionals. It provides great filters with, which you can easily zoom in to where you think the problem may lie. The primary benefit of the filters is to remove the noise (the traffic you are not interested in) and they help you narrow down the type of data you are looking for. That is why being able to use the filters properly is very important.
1. IP Header Format
To be able to write effective filters, you need to have solid understanding of IP header. Following figure shows IP header format.
- Version: This field is used to specify the protocol version. For IPv4, this is always equal to 4.
- Internet Header Length (IHL): This field contains the size of the IPv4 header and it can vary due to the “Options” in the header.
- Type of Service (ToS): It is also known as Differentiated Services Code Point (DSCP), which is used for Quality of Service (QoS).
- Total Length: This field defines the size of the packet in bytes, including header and data.
- Identification: This field is mainly used for uniquely identifying the group of fragments of a single IP datagram.
- Flags: These flags are used to control packet fragmentation during the transmission.
- Fragment Offset: This field tells the receiver the position of a fragment in the original datagram.
- Time to Live: This field indicates the maximum time the datagram is allowed to remain in the internet system (Number of maximum hops over which the packet can be routed).
- Protocol: This field specifies the protocol it carries.
- Header Checksum: This field is used to error checking.
- Source Address: The source address of the packet.
- Destination Address: The destination address of the packet.
- Options: This field is not often used, but it can be used for many purposes like time stamping packets, source routing, tracing a route, etc.
- Padding: This field is used to ensure that the internet header ends on a 32-bit boundary.
Following screenshot shows a typical IP header for a packet.
2. Filtering a Host by Source IP Address
When we would like to find all packets belong to a sender, we would use the filter below.
ip.src == 23.217.250.58
Whenever we type any commands in the filter command box, it turns green if the command is correct. Otherwise, it turns red.
3. Filtering a Host by Its Destination IP Address
A similar filter can be used for finding the destination host (the receiver).
ip.dst == 192.168.1.4
4. Filtering Packets Destined or Sourced to/from a Specific IP
When we would like to find all packets coming and going to a host, we would use the filter below.
ip.addr == 192.168.1.4
5. Filtering Conversations Between 2 Hosts
Sometimes, we need to focus only on packets between two hosts. We would use the filter below.
ip.addr eq 192.168.1.4 and ip.addr eq 23.217.250.58
6. Filtering a Subnet
Wireshark let you specify the network and its subnet length. We need that filter when we would like to see the packets coming and going to a network.
ip.addr ==192.168.1.0/24
7. Filtering a Range of IP Addresses
When we need to filter packets belong to only several hosts. We would use the filter below.
ip.addr >192.168.1.0 and ip.addr <192.168.1.10
8. Filtering Out a Host or Subnet
Some hosts may produce a lot packet that distract us during troubleshooting. We use the following display filter to show all packets that do not contain a specific IP in either the source or destination field.
For filtering out the host: !(ip.addr==192.168.1.4)
The same logic can be used for filtering out the subnet as well: !(ip.addr==192.168.1.4/24)
9. Filtering the Packets Larger Than 1500 Bytes (Default MTU Size)
Network MTU size can often be source of problem. Therefore, we may need to check if there are packets larger than the default MTU size.
ip.len > 1500
10. Filtering the Packets That Should Not Be Fragmented
Some applications do not want their packets to be fragmented in the network. When the devices on the path (routers, firewalls, switches, etc.) receive these packets, they check if they are larger than the MTU size, if so, the devices drop these packets, which causes failures. Following filter can be used.
ip.flags.df == 1
11. Filtering Corrupted Packets
The 16-bit Header Checksum field is used for error-checking of the IPv4 header. During transmission, packets IP header may corrupt, resulting in packet dropping. The checksum is used to detect the corrupted packets. The filter below can be used to find these packets.
ip.checksum_bad.expert
NOTE:
12. Filtering an IP By a City, Country etc
There are times when we need to trace an IP address back to its origin (Country, City, AS Number etc.). With help of IP geolocation, we can find geographic location of an IP address. Especially when we do network forensic analysis which aims to detect attack patterns and identify attackers. I explain that in this article (https://www.golinuxcloud.com/trace-ip-addresses-wireshark/).
The display filter below filters IP addresses from Lübeck city.
ip.geoip.src_city== "Lübeck”
The same logic can be use for country as well.
ip.geoip.src_country == "United States"
13. Filtering Broadcast and Multicast Packets
A Broadcast or multicast storms is an abnormally high number of broadcast packets within a short period of time, which fails our network. To checking the ratio of these packets can give an idea about storms and network loops. Following filter is used to find the multicast and broadcast packets.
(eth.dst.lg == 1 ) or (eth.addr == ff:ff:ff:ff:ff:ff)
14. Filtering Only IPv4 Packets
Sometimes, we need to filter out broadcasts, multicasts, IPv6 packets so that we would focus on the relevant packets. The filter below is used to show only IPv4 packets.
ip
15. Filtering Only IPv6 Packets
IPv6 is short for "Internet Protocol version 6". IPv6 is the "next generation" protocol designed by the IETF to replace the current version of Internet_Protocol, IP Version 4 or IPv4. When using a high traffic link, we may need to filter only IPv6 traffic. Following filter can be used for this purpose.
Final Thoughts
Wireshark has a powerful filter engine that helps remove the noise from a packet trace and lets you see only the packets that interest you. With using these filter properly, troubleshooting takes much less time.
https://www.rfc-editor.org/rfc/rfc791
https://wiki.wireshark.org/IPv6.md