Filtering OUT Traffic by IP Address - Aaargh!

Another interesting question was posed at ask.wireshark.org this week - it brings up a topic that I cover in the Wireshark 201: Filtering course (check out the schedule to catch the next free seminar on this topic).

The Question from ActualRandy
I want to see results where neither the destination, nor the source are the specified address; here is my filter. ip.src != 192.168.1.119 && ip.dst != 192.168.1.119 To my surprise, it returns some results with the that IP, such as this one: 157 238.065591 192.168.1.1 192.168.1.119 ICMP Destination unreachable (Port unreachable) The destination on this result is clearly one the filter should have blocked. What's up?

The Quick Answer
Avoid the use of != when filtering OUT IP address traffic. Instead use this filter:

!ip.addr == 192.168.1.1

The Long Answer
Sake Blok spent a bit more time explaining what was going on here. First of all - let's talk about the problem with a filter beginning with ip.src !==.












As you can see from the image above, Wireshark turned the display filter area yellow to indicate something is wrong. If you hover over the field a tooltip explains that the filter may not work as desired.

Here's the first issue with this type of filter. An IP header has two IP fields - the source IP address field and the destination IP address field. This filter looks in IP source address field first. If the field doesn't contain 24.4.7.217 -yippie! The filter matches and will be displayed. If the IP destination address field contains 24.4.7.217 the packet will be displayed as well. It's frustrating.

Here's a version of the chart contained in Chapter 9 of the Wireshark Network Analysis book:



Here's the second issue that ActualRandy hit - his filter displayed an ICMP packet. Sake explained this quite eloquently at ask.wireshark.org. Numerous ICMP packets are what I call "two-headed packets" - they contain two IP headers - the true IP header and another IP header in the ICMP portion of the packet.

Using the simple !ip.addr==192.168.1.119 addresses both issues and

works like a charm.

Enjoy!

Laura

Extract Fields with Tshark

An interesting question appeared at ask.wireshark.org this week – “How can I run Wireshark from the command line to open a file, and output a file containing only the UDP length of every DNS packet?”

It’s an interesting question because folks often overlook (a) capturing traffic with Tshark and (b) using the -T parameter to pull field information.

The answer was provided by skypemesm:

tshark -R 'dns' -r abc.pcap -T fields -e udp.length

-R “dns” - applies a DNS display filter to the trace file

-r abc.pcap - opens the abc.pcap file using Tshark

-T fields - indicates we are pulling a field contents (default format: text)

-e udp.length - tells Tshark to pull the value of the udp.length field

The results of this type of operation print on the screen.

What if you want to pull this information from a live capture?

Ok - you have to watch out here since Bug 2234 restricts us from using a display filter during a live capture in Tshark. Sigh. We'll use a capture filter instead.

tshark -T fields -e udp.length -f "port 53" > udplength.txt

In this case we are still pulling out the UDP length field values, but we've defined a capture filter for traffic to/from port 53 and piped the results to a text file.

What else can you do? Well - you can use the -a parameter to define an autostop condition or the -c parameter to define the numbe of packets to capture.

All Access Pass Members: The Tshark Command-Line Capture course is released on the new portal. I just added a section on the use of -T/-e parameters after writing this blog. You should have received an email with your login instructions. If you didn't - send an email to info@chappellU.com.

Not an All Access Pass member? Jeepers - the price was just lowered so now is the time to sign up for one-year of online training at http://www.chappellu.com/.