Ask Your Question
0

Wireshark to filter out several websites

asked 2020-10-01 06:53:05 +0000

pundit gravatar image

G'day,

Been trying to frustratingly not display several websites. Could someone please help me out with the correct format?

For example how do you do, microsoft.com live.microsoft..com 7.de.microsoft.com ocsp.digicert.com

etc.

Thank you so much.

edit retag flag offensive close merge delete

Comments

"Not display" as in you don't want to display any traffic to those sites? Some of those sites may have multiple IP's that can change due to location or other factors which complicates things.

grahamb gravatar imagegrahamb ( 2020-10-01 08:16:55 +0000 )edit

Hello,

Thank you for your reply.

Yes, i have a a large packet capture. There are several websites on there that I do NOT want to be displayed, filter these OUT so that the dataset is much smaller to analyse.

Could you please tell me or show me how I can do this?

Thank you.

pundit gravatar imagepundit ( 2020-10-01 09:30:33 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-10-01 09:57:55 +0000

grahamb gravatar image

Open the Conversations dialog (Statistics -> Conversations) select the IPv4 tab and then check the "Name resolution" box.

Hopefully you will see the hosts you want to filter out in either the "Address A" or "Address B" columns, right click conversations you want to filter out and select "Apply as Filter" -> "...and not Selected" -> "A -> Any" or "B -> Any" depending on whether the name is in the A or B column. Keep repeating as desired.

As I noted in the question comments a particular web site may use multiple different domains for all the components of the web page and they may not all be obviously linked so you will have to use "intuition" somewhat.

When you're happy with the result you can export your subset of the packets to a smaller file, with File -> "Export Specified Packets" and ensure the "Displayed" option is selected.

edit flag offensive delete link more

Comments

Thank you so much. I will try this out tmw.

pundit gravatar imagepundit ( 2020-10-01 10:05:10 +0000 )edit

Sorry, I just saw this. Is there any way of displaying the actual URL rather than just the IP?

How do you work out without having to switch screens which IP is to what DNS?

Sorry, new to this field

pundit gravatar imagepundit ( 2020-10-01 10:12:01 +0000 )edit

The URL, if it appears at all in an HTTP conversation, will only be in a few of the packets, and due to a web page being composed of lots of items from multiple sources won't catch all the traffic. A further complication is that most web site traffic is encrypted using TLS so you won't actually see the http requests. You could try using the hostname that's sent in the TLS handshake, e.g.

!(tls.handshake.extensions_server_name contains "site1.example.com" || tls.handshake.extensions_server_name contains "site2.example.com" )

but as this only matches the TLS Client Hello packets that won't reduce your capture by much. What that will do though is show IP addresses you could filter out with !(ip.addr == a.b.c.d).

grahamb gravatar imagegrahamb ( 2020-10-01 11:11:10 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-10-01 06:53:05 +0000

Seen: 692 times

Last updated: Oct 01 '20