Display filters for network analyzers (Wireshark, Paketyzer)

1. Display filters

Traffic analyzers are a useful and effective tool in the life of a network administrator, they allow you to “see” what is actually transmitted on the network, which makes it easier to diagnose various problems or to study the principles of operation of various protocols and technologies.
However, quite a lot of various data blocks are often transmitted in the network, and if you force to display everything that passes through the network interface, it is difficult to select what is really needed.
To solve this problem, filters are implemented in traffic analyzers, which are divided into two types: capture filters and display filters. Last time we looked at capture filters. Today we will talk about the second type of filters - about display filters.
Display filters are a kind of filters that allow you to display only those frames that are currently needed (belong to a specific protocol and / or host), temporarily hiding all the others.
The rules for writing display filters are different from the rules for writing capture filters. Differing not so big, but usually sufficient to ensure that the capture filter rule without any changes would not work when applied as a display filter.

2. Syntax of display filters

A display filter expression consists of a set of special primitives, which are built from the so-called classifiers and object identifiers (addresses, names of network objects, port numbers).

Note : all classifiers are case-sensitive and must be written in small letters only.

The classifiers in the display filter are not divided into types, they use keywords that correspond to protocols at different levels of the OSI model. The simplest example of using a classifier is the name of the protocol (ip, dns, arp, etc.), by entering which as a display filter we will force the program to leave on screen only those frames that contain the specified protocol. It should be remembered that all captured frames get into RAM, and by canceling the display filter you will be able to see all the cards captured by the analyzer (all that have passed the capture filter).
One of the differences between the display filters is that you can access certain protocol parameters by specifying the name of this parameter through a period after the protocol name, for example:

• ip.dst
• frame.pkt_len
• tcp.port

And in fact, often, writing a display filter is reduced to finding the correct name of the protocol or parameter of this protocol.
Comparison operators are used to compare field values:

• eq, == - equivalent to (equal to)
• ne,! = - not equivalent (not equal)
• gt,> - more
• lt, < - less
• ge,> = - greater than or equal
• le, <= - less than or equal to

All protocol parameters (identifiers) are typed and depend on the specific parameter of a particular protocol.
The list of valid identifier types is as follows:

• Without a signed integer (Unsigned integer), 8, 16, 24, or 32-bit values ​​are valid.
• Signed integer (number), valid for 8, 16, 24 or 32 bit values
• Boolean
• Ethernet address (Ethernet address), 6 bytes
• Byte string, arbitrary byte count
• IPv4 address (IPv4 address), 4 bytes
• IPv6 address (IPv6 address), 16 bytes
• IPX network number (IPX network number), 4 bytes
• String, arbitrary number of characters
• Double precision precision floating point number, 8 bytes

Integers and addresses can be represented both in decimal and hexadecimal format:

• frame.pkt_len> 10 is equivalent to frame.pkt_len> 0xA
• ip.src == 192.168.1.1 is equivalent to ip.src == 0xC0. 0xA8.0x1.0x1

In the case of logical values, true is equivalent to 1 and false is equivalent to 0 .
In hardware addresses, numbers can be separated by a colon (:), a dot (.), A dash (-):

• eth.src == aa-aa-aa-aa-aa-aa
• eth.src == aa: aa: aa: aa: aa: aa

IP addresses, as well as numbers, can be compared with each other in the same way as numbers using the comparison operators eq , ne , gt , ge , lt , le .
Instead of numeric addresses, you can use symbolic addresses as node addresses, but you need an available name resolution service:

• ip.dst eq www.habrahabr.ru
• ip.src == 192.168.1.1

When describing networks, you can use a short mask option, you can also apply a mask to symbol addresses:

• ip.addr == 172.16.0.0/16
• ip.addr eq server / 24

The display filter can work with the proto [ offset : size ] primitive, as well as the capture filter, but there are some differences with its use:

• Like in capture filters, you can proto [ offset : size ] use negative values ​​of the offset field in the primitive, but in this case the specified byte number from the end of the frame is allocated, not the bytes of the previous headers. You can also list the byte numbers of interest, use the proto [ offset :] and proto [: size ] constructs.
• Bitwise, logical, or arithmetic operations cannot be applied to data obtained using the proto [ offset : size ] primitive.
• Data obtained using the proto [ offset : size ] primitive is represented in hexadecimal.

Examples of using the proto [ offset : size ] primitive in advanced display filters:

• eth.src [0: 3] == AA: BB: CC - check for matching the first three bytes of the header (the OUI field in the recipient's MAC address).
• frame [-4: 4] == AA.BB.CC.DD - check the last four bytes of the frame.
• proto [1,3-5,9:] == 01: 03: 04: 05: 09: 0a - check 1, 3-5, 9 bytes of the header of some protocol.
• eth.src [1-2] == AA: BB - check the second and third bytes of the header field for correspondence (equivalent to eth.src [1: 2] == AA: BB ).
• eth.src [: 4] == AA: BB: CC: DD — check the first four bytes of the header field for a match (equivalent to eth.src [0: 4] == AA: BB: CC: DD ).
• eth.src [4:] == 55:66 - check all bytes of the header field, starting with the fifth, for consistency.

All rules can be combined by logical connectives:

• and, && - logical "AND"
• or, || - logical "OR"
• xor, ^^ - logical “Exclusive OR”
• not! - inversion, logical "NOT"

For example:

• tcp.port == 110 and ip.src == 192.168.2.100 - the IP address of the sender is 192.168.2.100, the TCP protocol and port 110 are used (it does not matter the port of the sender or the receiver)
• not udp - all but UDP datagrams

The priority of these operations is as follows:

• inversion operation has the highest priority
• then the logical "and"
• operations OR and Exclusive OR have the lowest priority.

As in ordinary mathematical expressions, the priority can be changed using round brackets (), in which actions are performed first.

Attention :
You should be careful when formatting filters that describe the requirements for repeating fields, for example, IP addresses, because in the IP header, the IP address is met twice - the sender's address and the recipient's address. The following two filters, despite the apparent sameness, will work differently:
ip.addr ne 1.1.1.1
not ip.addr eq 1.1.1.1
The first filter means “show all frames in which there is an address different from 1.1.1.1 in the IP packet header” and, as a result, if the sender’s address or the recipient’s address is different, then the frame containing such a header will be displayed, although the second the address may be the same as 1.1.1.1.
The second option means “to show all frames in which there is no 1.1.1.1 address in the IP packet header”, so for the frame to be displayed it is required that the sender’s address or the recipient address in the IP header does not match 1.1.1.1.

Also be careful in the rules excluding certain packages. For example, we want to exclude from the display all frames for which the recipient's IP address is any address other than 1.1.1.1. If you apply the following filter:
ip.dst ne 1.1.1.1
then all the frames in which there is no this IP address of the recipient, as well as those frames in which it could not be (for example, ARP) will be removed from the capture. If we also need non-IP traffic, then we need to fix the filter for this:
not ip or ip.dst ne 1.1.1.1

')

3. List of protocols and their parameters

Having studied the basic rules of writing mapping filters, it remains to understand only where to find the list of supported protocols and from the parameters. The list of protocols and their parameters is quite extensive and there is no point in bringing it here, it can be found at the link on the wireshark.org website

Successful sniffing)