Ask Your Question
0

Wireshark Filter explanations/guide

asked 2020-04-02 15:40:33 +0000

alohawireshark gravatar image

I am a data scientist analyzing packet data from Wireshark but I do not have a networking background. It's been a laborious process of Googling each filter from the tsharkoutput to build an intuitive understanding of each field, two fields just to illustrate my point: "ip.flags.rb" or "ip.flags." While the shorthand of such fields may have more meaning to an experienced network engineer, most is lost on me. I have reviewed the Wireshark documentation (https://www.wireshark.org/docs/dfref/...) and the definitions are:

ip.flags            Flags   Unsigned integer, 2 bytes   1.0.0 to 3.2.2
ip.flags.rb Reserved bit    Boolean                     1.0.0 to 3.2.2

Such a definition doesn't answer critical questions like, "what is the range of integers for ip.flags and what would be the significance of each? Or, "what is the significance of a 1 for ip.flags.rb as opposed to a 0, i.e. why might it matter if a bit is reserved or not?"

My question is, is there a cheat sheet for newbies/non-network engineers with such information? Thus far, it seems like in-depth explanations can occasionally be found in the Wireshark documentation, albeit spread across many chapters. I can also find discussion of individual fields on forums/blogs, but with 273+ fields to try to understand, I'm wondering if there is a better resource I haven't yet found that is available.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-04-02 15:48:36 +0000

grahamb gravatar image

There is no further explanation of filter fields in Wireshark except the info in the source code attached to the creation of each filter field.

This info is available in the fields definition, and in the status bar if you click on a field in the packet details pane.

Each protocol will have the definitions of the fields in some sort of RFC or specification document (which may not be freely available) and the dissector developer will then name the filter fields as they see fit.

So, to find out the meaning of the filter fields, you need to go to the source definition of the protocol and hopefully the filter field names will tie up with the information there.

edit flag offensive delete link more

Comments

tl;dr: Wireshark analyzes network traffic, so to understand what it's reporting requires some understanding of the protocols it's analyzing.

Guy Harris gravatar imageGuy Harris ( 2020-04-02 18:41:15 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-04-02 15:40:33 +0000

Seen: 827 times

Last updated: Apr 02 '20

Related questions

Can I create a capture filter on a pcap file

Wireshark expression filters (Wireless Capture)

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

Client is waiting for FIN flag from server for 30 sec

wifi disconnects as wireshark starts

How do I add "child item" to an item in the subtree?

What is the syntax for wireshark custom column