Ask Your Question
0

What the display filter to only see traffic for a particular website?

asked 2019-02-23 19:19:08 +0000

yakinharoon gravatar image

When I enter www.yahoo.com in the browser. I would like to see everything related to www.yahoo.com. For instance,

  1. DNS for www.yahoo.com
  2. TCP handshake for www.yahoo.com
  3. HTTP GET request
edit retag flag offensive close merge delete

Comments

So you want the TCP handshake, and the TCP get request, but not any ACK-only packets, in the TCP connection to www.yahoo.com?

Guy Harris gravatar imageGuy Harris ( 2019-03-21 20:18:08 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-03-21 15:40:37 +0000

Zaaf gravatar image

updated 2019-03-21 16:24:27 +0000

DNS for www.yahoo.com use dns contains www.yahoo.com

TCP handshake for www.yahoo.com TCP hand shake will be with what ever ip address is resolved against www.yahoo.com Remember these days opening a webpage is not a tcp threeway handshake with single resolved ip address. I have seen multiple tcp sessions for single website.

HTTP GET request http.host contains "www.yahoo.com"

I have just opened yahoo and it was https so use ssl.handshake.extensions_server_name == "www.yahoo.com"

so the possible combination for display filter will be

dns contains www.yahoo.com || http.host contains "www.yahoo.com" || ssl.handshake.extensions_server_name == "www.yahoo.com"

edit flag offensive delete link more

Comments

Two answers have recommended using the display filter "dns contains www.yahoo.com".

This will not work because host names in DNS queries and responses are encoded. "www.yahoo.com" is not stored in the packet. What is actually stored is "3www5yahoo3com0"

What will work is "dns.qry.name contains "www.yahoo.com" or "dns.qry.name=="www.yahoo.com"

"dns contains" compares to the actual values stored in the packet. "dns.qry.name contains" or "dns.qry.name==" compares the the dissected value. "3www5yahoo3com0" is dissected as "www.yahoo.com" but that's not what's actually stored in the packet.

Jim Aragon gravatar imageJim Aragon ( 2019-03-21 18:42:34 +0000 )edit
0

answered 2019-02-26 00:07:17 +0000

updated 2019-03-21 19:43:42 +0000

Hi,

This is how I do it but there are probably other (better?) ways.

Capture all traffic when you are browsing to the website.

When you are done close your browser and then stop the capture.

You'll need to use display filters to all the information.

DNS

Use this display filter to find the DNS queries and answers for the domain:

dns.qry.name contains "www.yahoo.com

(Deprecated using dns contains www.yahoo.com after reading Jim's comment.)

There are probably a lot of DNS for a site like Yahoo so if you want everything you need to make a note of every IP addresses in the answer field of every DNS packets.

TCP (HTTP)

You can now display all TCP SYN segment with this filter.

(tcp.flags.syn == 1) && (tcp.flags.ack == 0)

You need to find the TCP stream index where the destination IP address matches the IP address from the DNS answer.

You may build a more complex filter using the IP addresses you found to (somewhat) automate this process.

ip.dst in {1.2.3.4 5.6.7.8 9.0.1.2} && (tcp.flags.syn == 1) && (tcp.flags.ack == 0)

You can then find all the TCP stream indexes of all the Yahoo related TCP conversations.

This will include HTTP/HTTPS.

ALL THAT JAZZ

Display everything with a new display filter.

dns contains www.yahoo.com || tcp.stream in {10 20 30}

Hope this helps.

Cheers,

JF

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-02-23 19:19:08 +0000

Seen: 12,210 times

Last updated: Mar 21 '19