Ask Your Question
0

How to make display filter case insensitive [WireShark 4.2.6]

asked 2024-08-14 21:27:02 +0000

aenagy gravatar image

I am studying a PCAP that is a sample of a LLMNR poisoning attack. The following filter works:

udp.port == 5355 && dns.flags.response == True && ( ip.source ne dns.resp.name )

I would like to make the ip.source ne dns.resp.name comparison case insensitive. I have tried the following but these turn the filter input field to red which I assume to be some sort of syntax error.

udp.port == 5355 && dns.flags.response == True && ( ip.source matches dns.resp.name )

udp.port == 5355 && dns.flags.response == True && ( ip.source matches "(?-i)cldc" dns.resp.name )

udp.port == 5355 && dns.flags.response == True && ( upper(string(ip.source)) != upper(string(dns.resp.name)) )

How do I make the ip.source ne dns.resp.name comparison case insensitive?

edit retag flag offensive close merge delete

Comments

What isip.source? Do you mean ip.src_host ?

Chuckc gravatar imageChuckc ( 2024-08-14 22:03:35 +0000 )edit

Good catch. This returns a smaller set of packets that gets me closer to what I need.

udp.port == 5355 && dns.flags.response == True && ( ip.src_host ne dns.resp.name )

This still change the display filter input field to red:

udp.port == 5355 && dns.flags.response == True && ( ip.src_host matches dns.resp.name )

This will run but returns results that don't actually match what I need.

udp.port == 5355 && dns.flags.response == True && ( upper(ip.src_host) ne upper(dns.resp.name) )

aenagy gravatar imageaenagy ( 2024-08-15 02:09:43 +0000 )edit

Could you point to the download location of the LLMNR poisoning attack sample (or share it yourself) and then indicate which packets you want the filter to match?

SYN-bit gravatar imageSYN-bit ( 2024-08-15 07:01:51 +0000 )edit

The PCAP I'm analyzing is here: https://app.hackthebox.com/sherlocks/.... The theory I'm testing is that the rogue LLMNR device will respond to requests for host names that are not itself, i.e. rogue device foo will respond to queries for device bar.

aenagy gravatar imageaenagy ( 2024-08-15 08:42:08 +0000 )edit

When the display filter input field is red, a status message explaining why the filter didn't compile is added to the status bar at the bottom of the Wireshark window. What does it say? You shouldn't have to "guess" whether a filter has a syntax or syntactical error and why, the error message should tell you. If it's not clear enough, perhaps it could be changed.

johnthacker gravatar imagejohnthacker ( 2024-08-15 16:00:04 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-08-15 13:40:16 +0000

SYN-bit gravatar image

Does this filter do want you want it to do?

udp.port == 5355 && dns.flags.response == True && ( upper(ip.src_host) ne upper(dns.resp.name) and upper(ipv6.src_host) ne upper(dns.resp.name) )

Please enable Network name resolution and make sure only "Use captured DNS packets" is enabled.

edit flag offensive delete link more

Comments

Regarding udp.port == 5355 && dns.flags.response == True && ( ip.src_host matches dns.resp.name ) and your question regarding the error displayed --> I hadn't noticed this before. Thanks. The message is as you indicated that matches requires a literal string on the right-side which is rather unfortunate.

Regarding udp.port == 5355 && dns.flags.response == True && ( upper(ip.src_host) ne upper(dns.resp.name) and upper(ipv6.src_host) ne upper(dns.resp.name) ) this works better than expected as this includes IPv6.

aenagy gravatar imageaenagy ( 2024-08-18 20:41:48 +0000 )edit

@SYN--bit:

Your suggestions help resolve my question.

Thanks.

aenagy gravatar imageaenagy ( 2024-08-18 20:42:52 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-08-14 21:27:02 +0000

Seen: 222 times

Last updated: Aug 18