Thu. Sep 24th, 2020

Linux Magazines

Tech News, Linux, Web

How to Use Wireshark Filters on Linux

9 min read

Packet Analysis with Real Bite

Wireshark is one of the jewels of the open-source world. It’s a world-class software tool, used by professionals and amateurs alike to investigate and diagnose networking issues. Software developers use it to pinpoint and characterize bugs in communications routines. Security researchers use it to capture and unpick malicious activity on a network.

A typical workflow is to run Wireshark in Capture mode, so it records network traffic through one of the network interfaces on the computer. The network packets are displayed in real time, as they’re captured. However, it’s in the post-capture analysis that the granular detail of what’s going on in the network is revealed.

The captured packets are called a trace. When the capture is complete the trace can be stepped through, packet by packet. You’re able to inspect any packet in the tiniest detail, map out network “conversations” between devices, and use filters to include (or exclude) packets from your analysis.

Wireshark’s filtering capabilities are second to none, with great flexibility and resolving power. There are subtleties to their syntax that make it easy to write a filter and get a result that doesn’t meet your expectations.

If you don’t understand how filters work in Wireshark, you’ll never get out of first gear and throttle the capabilities of the software.

Installing Wireshark

When you install Wireshark, you’re asked whether anyone using a non-root account should be able to capture network traces. Saying no to this might be an attractive idea. You might not want everyone to be able to see what’s happening on the network. However, installing Wireshark so that only those with root privileges can use it means all its components will run with elevated permissions.

Wireshark contains over 2 million lines of complicated code, and it interacts with your computer at the lowest level. Best security practices advise that as little code as possible should run with elevated privileges—especially when its operating at such a low level.

It’s far more secure to run Wireshark with a regular user account. We can still restrict who has the ability to run Wireshark. This requires a few extra setup steps, but it’s the safest way to proceed. The data capture elements of Wireshark will still run with elevated privileges, but the rest of Wireshark runs as a normal process.

To start the installation on Ubuntu, type:

sudo apt-get install wireshark
sudo apt-get install wireshark in a terminal window.

On Fedora, type:

sudo dnf install wireshark
sudo dnf install wireshark in a terminal window.

On Manjaro, use this command:

sudo pacman -Syu wireshark-qt
sudo pacman -Syu wireshark-qt in a terminal window.

During installation, you’ll see the screen below, recommending that you don’t run Wireshark as root. Press Tab to move the red highlight to “<OK>” and press the Space bar.

Installation screen recommending not to run Wireshark as root.

On the next screen, press Tab to move the red highlight to “<YES>” and press the Space bar.

The option screen allowing non-root users to run Wireshark, with "Yes" highlighted.

To run Wireshark, you must be a member of the “wireshark” group, which is created during installation. This allows you to control who can run Wireshark. Anyone who isn’t in the “wireshark” group can’t run Wireshark.

To add yourself to the “Wireshark” group use this command:

sudo usermod -a -G wireshark $USER

For your new group membership to take effect, you can log out and back in, or use this command:

newgrp wireshark

To see if you’re in the new group, use the groups command:

groups
sudo usermod -a -G wireshark $USER in a terminal window.

You should see “wireshark” in the list of groups.

Starting Wireshark

You can launch Wireshark with the command below. The ampersand (&) launches Wireshark as a background task, meaning you can carry on using the terminal window. You can even close the terminal window and Wireshark will continue to run.

Type the following:

Wireshark &
Wireshark & in a terminal window.

RELATED: How to Run and Control Background Processes on Linux

The Wireshark interface appears. The network interface devices present in your computer are listed, along with some built-in pseudo-devices.

The main wireshark interface.

A wavy line next to an interface means it’s live and network traffic is passing through it. A flat line means there’s no activity on the interface. The top item in this list is “enp0s3,” the wired connection for this computer and, as expected, it shows activity.

To start capturing packets, we right-click “enp0s3,” and then select “Start Capture” in the context menu.

Click "Start capture" in the context menu.

You can set filters to reduce the amount of traffic Wireshark captures. We prefer to capture everything and filter out anything we don’t want to see when doing an analysis. This way, we know everything that happened is in the trace. You don’t want to inadvertently miss a network event that explains the situation you’re investigating due to your capture filter.

Of course, for high-traffic networks, traces can quickly become very large, so filtering at capture makes sense in this scenario. Or, perhaps you just prefer it that way.

Note that the syntax for capture filters is slightly different than that for displays.

The shark fin, square, and shark fin with a circular arrow icons highlighted in the Wireshark interface with an active packet capture.

The highlighted icons in the image above indicate the following, from left to right:

  • Shark fin: If this is blue, clicking it will start a packet capture. If Wireshark is capturing packets, this icon will be gray.
  • Square: If this is red, clicking it will stop a running packet capture. If Wireshark isn’t capturing packets, this icon will be gray.
  • Shark fin with circular arrow: If this is green, clicking it will stop the currently running trace. This gives you the opportunity to save or discard the captured packets, and restart the trace. If Wireshark isn’t capturing packets, this icon will be gray.

Analyzing the Trace

Clicking the red square icon will stop the data capture so you can analyze the packets captured in the trace. The packets are presented in time order, and color coded according to the protocol of the packet. The details of the highlighted packet are displayed in the two lower panes in the Wireshark interface.

A captured trace displayed in Wireshark in time order.

A simple way to make reading the trace easier is to have Wireshark provide meaningful names for the source and destination IP addresses of the packets. To do this, click View > Name Resolution and select “Resolve Network Addresses.”

Wireshark will attempt to resolve the name of the devices that sent and received each packet. It won’t be able to identify every device, but those it can will help you read the trace.

Wireshark trace with device names resolved.

Scrolling the display to the left will reveal more columns on the right. The info column shows any information Wireshark can detect from the packet. In the example below, we see some ping requests and responses.

The Info column showing some ping requests and responses.

By default, Wireshark displays all packets in the order in which they were traced. Many devices send packets back and forth simultaneously. This means a single conversation between two devices is likely to have packets from others interlaced between them.

To examine a single conversation, you can isolate it by protocol. The protocol for each packet is shown in the protocol column. Most of the protocols you’ll see belong to the TCP/IP family. You can specify the exact protocol or use Ethernet as sort of a catchall.

Right-click any of the packets in the sequence you want to examine, and then click Conversation Filter > Ethernet.  In the example below, we selected a ping request packet.

Isolated ping "conversation" in the Wireshark interface.

The sequence of packets is shown without others between them, as Wireshark auto-generated a filter to do this. It’s displayed in the filter bar and highlighted in green, which indicates the syntax of the filter is correct.

To clear the filter, click “X” on the filter bar.

Creating Your Own Filters

Let’s put a simple filter in the filter bar:

ip.addr == 192.168.4.20

This selects all packets that have been sent from or received by the device with IP address 192.168.4.20. Note the double equals signs (==) with no space between them.

Wireshark with a filter of ip.addr == 192.168.4.20.

To see the packets sent by a device (the source), you can use ip.src; to see packets that have arrived at a device (the destination), you can use ip.dst, as shown below:

ip.dst == 192.168.4.20 && ip.src == 192.168.4.28
Wireshard with a filter of ip.addr == 192.168.4.20.

Note the use of a double ampersand (&&) to indicate the logical “and.” This filter looks for packets that arrived at 192.168.4.20 from 192.168.4.28.

People new to Wireshark filters often think a filter like this will capture all packets between two IP addresses, but that’s not the case.

What it actually does is filter all packets to or from IP address 192.168.4.20, regardless of where they came from or to where they were sent. It does the same with all packets from IP address 192.168.4.28. To put it more simply, it filters all traffic to or from either IP address.

You can look for activity on other protocols, too. For example, you can type this filter to look for HTTP requests:

http.request
Wireshark with filter http.request

To exclude packets that either came from or were sent to a device, use an exclamation point (!) and enclose the filter in parentheses [()]:

!(ip.addr == 192.168.4.14)

This filter excludes all packets sent to or from 192.168.4.14.

Wireshark with a filter of !(ip.addr ==192.168.4.14).

It’s counterintuitive because the filter contains the equality operator (==). You might have expected you’d type this filter like so:

ip.addr !=192.168.4.14

However, this won’t work.

You can also search for strings within packets, by protocol. This filter searches for Transmission Control Protocol (TCP) packets that contain the string “youtube”:

tcp contains youtube
Wireshark with a filter tcp contains youtube.

A filter that looks for retransmission is useful as a way to check whether there’s a connectivity issue. Retransmissions are packets that are re-sent because they were damaged or lost during the initial transmission. Too many retransmissions indicates a slow connection or a device that’s slow to respond.

Type the following:

tcp.analysis.retransmission
Wireshark with a filter of tcp.analysis.retransmission.

Birth, Life, Death, and Encryption

A network connection between two devices is initiated whenever one contacts the other and sends a SYN (synchronize) packet. The receiving device then sends an ACK (acknowledgment) packet. It indicates if it will accept the connection by sending a SYN packet.

SYN and ACK are actually two flags in the same packet. The original device acknowledges the SYN by sending an ACK, and then the devices establish a network connection.

This is called the three-way handshake:

A -> SYN -> B

A <- SYN, ACK <- B

A -> ACK -> B

In the screenshot below, someone on the computer “nostromo.local” makes a Secure Shell (SSH) connection to the computer “ubuntu20-04.local.” The three-way handshake is the first part of the communication between the two computers. Note that the two lines containing the SYN packets are color coded in dark gray.

Wireshark showing an SSH connection between two computers.

Scrolling the display to show the columns to the right reveals the SYN , SYN/ACK, and ACK handshake packets.

Wireshark showing the three-way handshake packets.

You’ll notice that the packet interchange between the two computers alternates between the TCP and SSH protocols. The data packets are passed through the encrypted SSH connection, but message packets (like ACK) are sent via TCP. We’ll filter out the TCP packets shortly.

When the network connection is no longer needed, it’s discarded. The packet sequence to break a network connection is a four-way handshake.

One side sends a FIN (finish) packet. The other end sends an ACK to acknowledge the FIN, and then also sends a FIN to indicate it agrees the connection should be dropped. The first side sends an ACK for the FIN it just received, and the network connection is then dismantled.

Here’s what the four-way handshake looks like:

A -> FIN -> B

A <- FIN, ACK <- B

A -> ACK -> B

Sometimes, the original FIN piggybacks on an ACK packet that was going to be sent anyway, as shown below:

A -> FIN, ACK -> B

A <- FIN, ACK <- B

A -> ACK -> B

This is what happens in this example.

Wireshark showing the four-way handshake packets.

If we want to see only the SSH traffic for this conversation, we can use a filter that specifies that protocol. We type the following to see all traffic using the SSH protocol to and from the remote computer:

ip.addr == 192.168.4.25 && ssh

This filters out everything except SSH traffic to and from 192.168.4.25.

Wireshark with a filter of ip.addr == 192.168.4.25 && ssh.

Other Useful Filter Templates

When you’re typing a filter into the filter bar, it will remain red until the filter is syntactically correct. It will turn green when the filter is correct and complete.

If you type a protocol, such as tcpipudp, or shh, followed by a period (.), a menu appears. It will list recent filters that contained that protocol, and all the fields that can be used in filters for that protocol name.

For example, with ip, you can use  ip.addrip.checksumip.srcip.dstip.idip.host, and dozens of others.

Use the following filter templates as the basis of your filters:

  • To only show HTTP protocol packets: http
  • To only show DNS protocol packets: dns
  • To only show TCP packets with 4000 as a source or destination port: tcp.port==4000
  • To display all TCP reset packets: http.request
  • To filter out ARP, ICMP, and DNS packets: !(arp or icmp or dns)
  • To display all retransmissions in a trace: tcp.analysis.retransmission
  • To filter flags (like SYN or FIN): You have to set a comparison value for these: 1 means the flag is set, and 0 means it’s not. So, an example would be: tcp.flags.syn == 1.

We’ve covered some of the guiding principles and fundamental uses of display filters here, but, of course, there’s a lot more.

To appreciate the full scope and power of Wireshark filters, be sure to check out its online reference.

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © All rights reserved. | Newsphere by AF themes.