Wireshark Packet Filters: A Must-Have for Network Security

By /

Listen to this Post

Wireshark’s packet filters make it easy to zero in on specific network traffic, whether you are looking at protocols, IP addresses, ports, or even packet contents. They are a must-have for blue teams keeping an eye on network security and digging into forensic data, as well as red teams scouting for weaknesses and testing defenses during pentests.

You Should Know:

Here are some useful Wireshark filter examples and commands to enhance your network analysis:

1. Filter by IP Address:

  • To filter traffic from a specific IP address: 
    ip.src == 192.168.1.1
  • To filter traffic to a specific IP address: 
    ip.dst == 192.168.1.1

2. Filter by Protocol:

  • To filter HTTP traffic: 
    http
  • To filter DNS traffic: 
    dns

3. Filter by Port:

  • To filter traffic on a specific port (e.g., port 80): 
    tcp.port == 80

4. Filter by Packet Content:

  • To filter packets containing a specific string (e.g., “password”): 
    frame contains "password"

5. Filter by TCP Flags:

  • To filter TCP SYN packets: 
    tcp.flags.syn == 1
  • To filter TCP ACK packets: 
    tcp.flags.ack == 1

6. Filter by MAC Address:

  • To filter traffic from a specific MAC address: 
    eth.src == 00:0c:29:ab:cd:ef

7. Filter by HTTP Request Method:

  • To filter HTTP GET requests: 
    http.request.method == "GET"

8. Filter by Packet Size:

  • To filter packets larger than 500 bytes: 
    frame.len > 500

9. Filter by VLAN ID:

  • To filter traffic on a specific VLAN (e.g., VLAN 10): 
    vlan.id == 10

10. Filter by ICMP Type:

  • To filter ICMP echo requests (ping): 
    icmp.type == 8

What Undercode Say:

Wireshark is an indispensable tool for network analysis and security. By mastering its filtering capabilities, you can efficiently identify and troubleshoot network issues, detect malicious activity, and strengthen your network defenses. Here are some additional Linux and Windows commands to complement your Wireshark skills:

  • Linux Commands:
  • Capture network traffic with tcpdump: 
    tcpdump -i eth0 -w capture.pcap
  • Analyze network interfaces: 
    ifconfig
  • Check open ports: 
    netstat -tuln

  • Windows Commands:

  • Capture traffic with netsh: 
    netsh trace start capture=yes report=no tracefile=C:\capture.etl
  • Analyze network connections: 
    netstat -an
  • Check routing table: 
    route print

For more advanced Wireshark techniques and cybersecurity resources, visit Study Notes.

References:

Reported By: Xmodulo Wiresharks – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: