Question

Wireshark uses display filters to concentrate on interesting packets while hiding the boring ones. You can select packets based on protocol, value, or comparison. To filter packets based on protocol, type in the protocol you want to narrow down to, as shown in Figure 7.7 . Press Enter to accept the filter selection. When you're using a filter, it only changes the view, not the contents. The capture file remains intact. To remove a filter, click the clear button, which is the X to the right of the filter.

Figure 7.7 : Sorting packet capture based on TCP traffic

You can compare the values inside packets as well as combine expressions into far more specific expressions. Every field inside a packet can be used as a string, such as tcp . A tcp string will show all packets containing the TCP protocol. Once you have chosen the strings you want to knit together, you choose the appropriate operator. Table 7.2 lists commonly used filters.

Table 7.2 : Filter operators

ENGLISH	OPERATOR	DESCRIPTION	EXAMPLE
eq	==	Equal	ip.src==192.168.1.0
ne	!=	Not equal	Ip.src!=192.168.1.0
gt	>	Greater than	frame.len>16
lt	<	Less than	frame.len<64
match	~	Field match	http.host matches
contains		Field contains	tcp contains traffic

Colorizing the traffic can be an effective filter to locate and highlight packets you may be searching for. You can choose to color packets that indicate errors, anomalies, breaches, or evidence. Wireshark has predefined coloring rules in the Edit menu under Preferences. Your coloring rules are placed at the top of the list by default, so your rules will trump any that come after.

For temporary colors, right‐click a packet, go to Colorize Conversation, and slide down the list of types of traffic. To colorize the conversation, choose the protocol and select the color you would like that conversation to be. For example, you can color all IPv4 traffic blue and all Ethernet traffic red. This color rule will stay in effect until you restart Wireshark. You can also mark packets by right‐clicking them. They will be shown with a black background, regardless of coloring rules. Marking a packet is helpful while analyzing a large capture, almost like a bookmark holding your place.

If you right‐click a packet, you also have the ability to create packet comments. This is an excellent way to leave information that you have discovered, document a hypothesis, or communicate with other team members about network traffic you suspect is causing an issue.