Ask Your Question
0

New to WireShark: How best to do 'complex filtering'?

asked 2023-04-20 00:12:59 +0000

bloop gravatar image

Hello,

I have used WireShark for basic network sniffing and analysis but now I am being called upon to do some complex analysis of capture files and quite frankly - I don't how or where to start. The sorts of analysis I need to do are of the following type:

  1. If a specific packet with some specific data comes through then the next packet must have some other data in it
  2. If a specific packet comes through then another packet must occur with a specific time frame

and keep a count of all instances where the first condition occurs and the second one doesn't as well as where the first condition occurs and second one does too. And then there's a zillions variants of this sort of conditional analysis between packets.

I think there should be a way to do it - I just don't know enough about WireShark to know what it is or where to start looking even. I know how to set up a filter for each condition, I just don;t understand or know that you can link conditions with stored variables (like frame.number of first packet == frame.number of this packet +1) I sure hope the answer isn't lua but if it is - or even better if it isn't - pointers to where to start would be fantastic.

Thanks for any help!

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
1

answered 2023-04-21 03:23:54 +0000

bloop gravatar image

updated 2023-04-21 03:25:56 +0000

In combing through the links you provided, I found a solution that works for me. PyShark is a python library (pip install pyshark) that uses tshark behind the scenes to parse capture files (and live streams, too). It's not all that well documented but using dir(<item>) interactively lets you see the fields and names available in each record (since the names are a little different from the WireShark filter names). Since you write your script in Python you can store data and refer to it to do conditional processing and slice and dice things according to your needs. For me the learning curve was slight and easier than lua or MATE

edit flag offensive delete link more
add a comment
0

answered 2023-04-20 01:33:39 +0000

Chuckc gravatar image

updated 2023-04-20 01:42:12 +0000

Somewhere in here is the quintessential answer to this but I'm not finding it right now. (something like this)
For filters, is there a facility to include the next packet in the sequence for a selected criteria?

MATE may be a solution but at a certain point you'll have to decide if it's not the right tool.

If you're open to writing code/scripts, Wireshark Lua (WSDG: Lua Support in Wireshark) is very flexible after making the initial time investment to get comfortable with it.

YMMV but there is also a lot that can be done with tshark and shell scripts.
https://www.youtube.com/@WireSharkFes...

Filter TLS with no Server Hello
The answers include two different Lua solutions for comparing packets.

edit flag offensive delete link more

Comments

Excellent starting point (even though you did say "lua" :-)) I'm going to dig a little deeper and see what makes sense. Thanks!

bloop gravatar imagebloop ( 2023-04-20 03:39:49 +0000 )edit

Sharfest '15 - "11: Changing Wireshark with Lua: Writing a Lua Plug-in to Create a Custom Decoder by Hadriel Kaplan Presentation Video (1:19:03)" is excellent.

05: Extending Wireshark with Lua | Learn Wireshark @ SF22US covers the EASYPOST.lua example dissector which is just drop in place and show output in the packet details.

Chuckc gravatar imageChuckc ( 2023-04-20 10:14:15 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-04-20 00:12:59 +0000

Seen: 525 times

Last updated: Apr 21 '23

Related questions

filtering open ports on wireshark

Finding a gap in length or id

ERSPAN ID - Adding Information to captured packets

How can I search within data, specifically in the TCP segment data?

How to find the make and model of a local router? [closed]

Filter URL By Number Characters

How to find out total number of ip4 packets (that are not TCP,UDP or ICMP)

tshark filtering with SCTP segmentation not working?

Filter to all sockets/conversations matching at least one packet of the active display filter

Auto Wireshark Profile Capture

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2