First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Wireshark to filter out several websites

  • retag add tags

G'day,

Been trying to frustratingly not display several websites. Could someone please help me out with the correct format?

For example how do you do, microsoft.com live.microsoft..com 7.de.microsoft.com ocsp.digicert.com

etc.

Thank you so much.

pundit's avatar
1
pundit
asked 2020-10-01 06:53:05 +0000
edit flag offensive 0 remove flag close merge delete

Comments

"Not display" as in you don't want to display any traffic to those sites? Some of those sites may have multiple IP's that can change due to location or other factors which complicates things.

grahamb's avatar grahamb (2020-10-01 08:16:55 +0000) edit
more
  • delete

Hello,

Thank you for your reply.

Yes, i have a a large packet capture. There are several websites on there that I do NOT want to be displayed, filter these OUT so that the dataset is much smaller to analyse.

Could you please tell me or show me how I can do this?

Thank you.

pundit's avatar pundit (2020-10-01 09:30:33 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Open the Conversations dialog (Statistics -> Conversations) select the IPv4 tab and then check the "Name resolution" box.

Hopefully you will see the hosts you want to filter out in either the "Address A" or "Address B" columns, right click conversations you want to filter out and select "Apply as Filter" -> "...and not Selected" -> "A -> Any" or "B -> Any" depending on whether the name is in the A or B column. Keep repeating as desired.

As I noted in the question comments a particular web site may use multiple different domains for all the components of the web page and they may not all be obviously linked so you will have to use "intuition" somewhat.

When you're happy with the result you can export your subset of the packets to a smaller file, with File -> "Export Specified Packets" and ensure the "Displayed" option is selected.

grahamb's avatar
23.8k
grahamb
answered 2020-10-01 09:57:55 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you so much. I will try this out tmw.

pundit's avatar pundit (2020-10-01 10:05:10 +0000) edit
more
  • delete

Sorry, I just saw this. Is there any way of displaying the actual URL rather than just the IP?

How do you work out without having to switch screens which IP is to what DNS?

Sorry, new to this field

pundit's avatar pundit (2020-10-01 10:12:01 +0000) edit
more
  • delete

The URL, if it appears at all in an HTTP conversation, will only be in a few of the packets, and due to a web page being composed of lots of items from multiple sources won't catch all the traffic. A further complication is that most web site traffic is encrypted using TLS so you won't actually see the http requests. You could try using the hostname that's sent in the TLS handshake, e.g.

!(tls.handshake.extensions_server_name contains "site1.example.com" || tls.handshake.extensions_server_name contains "site2.example.com" )

but as this only matches the TLS Client Hello packets that won't reduce your capture by much. What that will do though is show IP addresses you could filter out with !(ip.addr == a.b.c.d).

grahamb's avatar grahamb (2020-10-01 11:11:10 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer