How to make display filter case insensitive [WireShark 4.2.6]

asked 2024-08-14 21:27:02 +0000

I am studying a PCAP that is a sample of a LLMNR poisoning attack. The following filter works:

udp.port == 5355 && dns.flags.response == True && ( ip.source ne dns.resp.name )

I would like to make the ip.source ne dns.resp.name comparison case insensitive. I have tried the following but these turn the filter input field to red which I assume to be some sort of syntax error.

udp.port == 5355 && dns.flags.response == True && ( ip.source matches dns.resp.name )

udp.port == 5355 && dns.flags.response == True && ( ip.source matches "(?-i)cldc" dns.resp.name )

udp.port == 5355 && dns.flags.response == True && ( upper(string(ip.source)) != upper(string(dns.resp.name)) )

How do I make the ip.source ne dns.resp.name comparison case insensitive?

edit retag flag offensive close merge delete

Comments

What isip.source? Do you mean ip.src_host ?

Chuckc ( 2024-08-14 22:03:35 +0000 )edit

Good catch. This returns a smaller set of packets that gets me closer to what I need.

udp.port == 5355 && dns.flags.response == True && ( ip.src_host ne dns.resp.name )

This still change the display filter input field to red:

udp.port == 5355 && dns.flags.response == True && ( ip.src_host matches dns.resp.name )

This will run but returns results that don't actually match what I need.

udp.port == 5355 && dns.flags.response == True && ( upper(ip.src_host) ne upper(dns.resp.name) )

aenagy ( 2024-08-15 02:09:43 +0000 )edit

Could you point to the download location of the LLMNR poisoning attack sample (or share it yourself) and then indicate which packets you want the filter to match?

SYN-bit ( 2024-08-15 07:01:51 +0000 )edit

The PCAP I'm analyzing is here: https://app.hackthebox.com/sherlocks/.... The theory I'm testing is that the rogue LLMNR device will respond to requests for host names that are not itself, i.e. rogue device foo will respond to queries for device bar.

aenagy ( 2024-08-15 08:42:08 +0000 )edit

When the display filter input field is red, a status message explaining why the filter didn't compile is added to the status bar at the bottom of the Wireshark window. What does it say? You shouldn't have to "guess" whether a filter has a syntax or syntactical error and why, the error message should tell you. If it's not clear enough, perhaps it could be changed.

johnthacker ( 2024-08-15 16:00:04 +0000 )edit

see more comments

answered 2024-08-15 13:40:16 +0000

SYN-bit

18496 ●9 ●331 ●255 https://SYN-b.it

Does this filter do want you want it to do?

udp.port == 5355 && dns.flags.response == True && ( upper(ip.src_host) ne upper(dns.resp.name) and upper(ipv6.src_host) ne upper(dns.resp.name) )

Please enable Network name resolution and make sure only "Use captured DNS packets" is enabled.

edit flag offensive delete link

Comments

Regarding udp.port == 5355 && dns.flags.response == True && ( ip.src_host matches dns.resp.name ) and your question regarding the error displayed --> I hadn't noticed this before. Thanks. The message is as you indicated that matches requires a literal string on the right-side which is rather unfortunate.

Regarding udp.port == 5355 && dns.flags.response == True && ( upper(ip.src_host) ne upper(dns.resp.name) and upper(ipv6.src_host) ne upper(dns.resp.name) ) this works better than expected as this includes IPv6.

aenagy ( 2024-08-18 20:41:48 +0000 )edit

@SYN--bit:

Your suggestions help resolve my question.

Thanks.

aenagy ( 2024-08-18 20:42:52 +0000 )edit

add a comment

How to make display filter case insensitive [WireShark 4.2.6]

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How to make display filter case insensitive [WireShark 4.2.6] edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How to make display filter case insensitive [WireShark 4.2.6]