THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

New to WireShark: How best to do 'complex filtering'?

Hello,

I have used WireShark for basic network sniffing and analysis but now I am being called upon to do some complex analysis of capture files and quite frankly - I don't how or where to start. The sorts of analysis I need to do are of the following type:

  1. If a specific packet with some specific data comes through then the next packet must have some other data in it
  2. If a specific packet comes through then another packet must occur with a specific time frame

and keep a count of all instances where the first condition occurs and the second one doesn't as well as where the first condition occurs and second one does too. And then there's a zillions variants of this sort of conditional analysis between packets.

I think there should be a way to do it - I just don't know enough about WireShark to know what it is or where to start looking even. I know how to set up a filter for each condition, I just don;t understand or know that you can link conditions with stored variables (like frame.number of first packet == frame.number of this packet +1) I sure hope the answer isn't lua but if it is - or even better if it isn't - pointers to where to start would be fantastic.

Thanks for any help!

bloop's avatar
11
bloop
asked 2023-04-20 00:12:59 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

1

In combing through the links you provided, I found a solution that works for me. PyShark is a python library (pip install pyshark) that uses tshark behind the scenes to parse capture files (and live streams, too). It's not all that well documented but using dir(<item>) interactively lets you see the fields and names available in each record (since the names are a little different from the WireShark filter names). Since you write your script in Python you can store data and refer to it to do conditional processing and slice and dice things according to your needs. For me the learning curve was slight and easier than lua or MATE

bloop's avatar
11
bloop
answered 2023-04-21 03:23:54 +0000, updated 2023-04-21 03:25:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

Somewhere in here is the quintessential answer to this but I'm not finding it right now. (something like this)
For filters, is there a facility to include the next packet in the sequence for a selected criteria?

MATE may be a solution but at a certain point you'll have to decide if it's not the right tool.

If you're open to writing code/scripts, Wireshark Lua (WSDG: Lua Support in Wireshark) is very flexible after making the initial time investment to get comfortable with it.

YMMV but there is also a lot that can be done with tshark and shell scripts.
https://www.youtube.com/@WireSharkFes...

Filter TLS with no Server Hello
The answers include two different Lua solutions for comparing packets.

Chuckc's avatar
3k
Chuckc
answered 2023-04-20 01:33:39 +0000, updated 2023-04-20 01:42:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Excellent starting point (even though you did say "lua" :-)) I'm going to dig a little deeper and see what makes sense. Thanks!

bloop's avatar bloop (2023-04-20 03:39:49 +0000) edit
more
  • delete

Sharfest '15 - "11: Changing Wireshark with Lua: Writing a Lua Plug-in to Create a Custom Decoder by Hadriel Kaplan Presentation Video (1:19:03)" is excellent.

05: Extending Wireshark with Lua | Learn Wireshark @ SF22US covers the EASYPOST.lua example dissector which is just drop in place and show output in the packet details.

Chuckc's avatar Chuckc (2023-04-20 10:14:15 +0000) edit
more
  • delete

show tcp streams which don't include string

Not directly, the display filter capabilities of Wireshark are "per-packet", i.e. is this packet to be displayed or not. There isn't a direct mechanism to say display this packet because of some condition in another packet.

Chuckc's avatar Chuckc (2024-05-01 22:28:34 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer