11

IRMA Notes

WireShark FiltersNetwork ForensicsAdvanced Network ForensicsSecurity Information and Event Management (SIEM)Incident Response Models & Host ForensicsLive Forensics & ToolkitMemory Analysis With Volatility FrameworkIntroduction to Malware AnalysisAdvanced Static Analysis and Reverse EngineeringDynamic Malware AnalysisMalware Analysis Summary

WireShark Filters

Unit 2 - Network Forensics (Wireshark)

Last Update Unknown

Wireshark Filters

WireShark Filter Purpose
eth.src == MAC address Search for packets having the given source MAC address
tcp.flags.syn == val Search for packets with or without SYN filed set in their TCP header. (val = 0 or 1)
tcp.flags.ack== val Search for packets with or without ACK filed set in their TCP header. (val = 0 or 1)
http.host contains "<string>" Search for HTTP packets, whose host filed contain the given <string>.
http.request.method=="<method>" Search for HTTP packets, whose request method matches the given <method>.
http.response Search for HTTP response packets
ftp.request.command == "<command>" Search for FTP packets, whose request command matches the given <command>.
ftp.response.code == val Search for FTP packets, whose response code matches given val.
ftp contains "<string>" Search for FTP packets, which contain the given <string>.
arp.opcode == val Search for ARP packets, which contain the given val.
smtp.req.command Search for SMTP request packets.
smtp.response.code Search for SMTP response packets.
pop.request.command Search for POP request packets.
pop.response Search for POP response packets.
imap.request.command Search for IMAP request packets.
telnet contains "<string>" Search for TELNET packets contain the given <string>.
Regular Expression Matches
http contains "\x89\x50\x4E\x47" PNG
http contains "%PDF" PDF
http contains "GIF89a" GIF
http contains "\x50\x4B\x03\x04" ZIP
http contains "\xff\xd8" JPEG
http contains "\x49\x44\x33" MP3
http contains "\x52\x61\x72\x21\x1A\x07\x00" RAR
http contains "\x52\x49\x46\x46" AVI
http contains "\x46\x57\x53" SWF
http contains "\x1F\x8B\x08" GZip
smtp matches ""[a-zA-Z09._%+-]+@[a-zA-Z0-9._%+-]"" Email Address
http matches ""[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"" IP address
"5\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}" Credit card details (Mastercard) of 5xxx-xxxx-xxxx-xxxx or 5xxx xxxx xxxx xxxx, which x denote a digit in the range of 0 to 9
"4\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}" Credit card details (Visa) of 4xxx-xxxx-xxxx-xxxx or 4xxx xxxx xxxx xxxx, which x denote a digit in the range of 0 to 9
"3\\d{3}(\\s|-)?\\d{6}(\\s|-)?\\d{5}" Credit card details (Am Ex) of 3xxx-xxxxxx-xxxxx or 3xxx xxxxxx xxxxx, which x denote a digit in the range of 0 to 9
http matches ""[a-zA-Z0-9\-\.]+\.(com|org|net|mil|edu|COM|ORG|NET|MIL|EDU|UK)"" Domain name Filter
tcp.port==23 && tcp.flags.syn==0 && tcp.flags.ack==0 Telnet Login Filter - Trace with Telnet Hydra and SYN/Port 23 filter
telnet contains "login" Telnet Login Filter
telnet contains "Failed" Telnet Login Filter
tcp.flags.syn==1 && tcp.flags.ack==0 Hping DoS Filter - Trace with Hping and SYN flag filter
ftp contains \"530 User\" FTP User/Password Crack Filter - Trace with FTP Hydra and 530 filter
tcp.port==21 && tcp.flags.syn==1 && tcp.flags.ack==1 FTP Login Filter - Trace with FTP Hydra and SYN/Port 21 filter