🦈Wireshark

Capture Filters

Capture traffic from host

host x.x.x.x

Capture traffic from either directions

net x.x.x.x/24

Capture traffic from

src net x.x.x.x/24

Capture traffic to

dst net x.x.x.x

Filter out all traffic except the port you specify:

port #

Will capture everything except the variable

not <variable>

Concatenate variables:

and

Grab traffic only within the range:

portrange x-x

Specify protocol filters:

ip / ether / tcp

Grabs a specific type of traffic:

broadcast / multicast / unicast

Display Filters

Capture only traffic pertaining to a certain host (OR statement)

ip.addr == x.x.x.x

Capture traffic pertaining to a specific network(OR statement)

ip.addr == x.x.x.x/24

Capture traffic to or from a specific host:

ip.src/dst == x.x.x.x

Filter traffic by protocol:

dns / tcp / ftp / arp / ip / http

Filter by a specific TCP port:

tcp.port == x

Will capture everything except the port specified:

src.port / dst.port ==x

AND will concatenate, OR will find either of two options, NOT will exclude your input option:

and / or / not

Follow a TCP session stream:

tcp.stream eq #

This filter will display any packet with a JPEG:

http && image-jfif

tshark

List available interfaces to capture from:

tshark -D

Capture on a selected interface:

tshark -i (int)

Apply a filter looking for a specific host:

tshark -i eth0 -f "host (ip)"

Will display any interfaces available to capture from and then exit out:

D

Will list the Link-layer mediums you can capture from and then exit out:

L

Defines a stop condition; Grab a specific number of packets, then quit the program :

c

Defines an auto-stop condition. It can be after a duration, specific file size, or after a certain number of packets:

a

Read from a file:

r (pcap-file)

Write into a file using the pcapng format:

W (pcap-file)

Will print the packet summary while writing into a file (-W):

P

Will add Hex and ASCII output into the capture:

x

FTP Identifiers

Data Transfer

Shows the FTP command that initiated the data transfer

ftp-data.command == "RETR"

References the frame number containing the original FTP command

ftp-data.command-frame == 42

Displays the working directory during data transfer

ftp-data.current-working-directory == "/home/user"

Frame number where the data connection was established

ftp-data.setup-frame == 38

Method used to establish the data connection (active/passive)

ftp-data.setup-method == "PORT"

Active Mode Configuration

Client IP address in active mode PORT command

ftp.active.cip == 192.168.1.100

Indicates if NAT translation occurred in active mode

ftp.active.nat == 1/0

Client port number specified in PORT command

ftp.active.port == 20001

Command Channel Communication

FTP command sent by client

ftp.command == "USER"

Frame number containing the FTP command

ftp.command-frame == 15

Data transfer rate for command response

ftp.command-response.bitrate == 1048576

Total bytes transferred in command response

ftp.command-response.bytes == 2048

Time duration of command response

ftp.command-response.duration == 1.5

First frame number in response sequence

ftp.command-response.first-frame-num == 16

Total number of frames in response

ftp.command-response.frames == 3

Last frame number in response sequence

ftp.command-response.last-frame-num == 18

Extended PORT Command (EPRT)

Address family (1=IPv4, 2=IPv6) in EPRT command

ftp.eprt.af == 1

Indicates invalid EPRT command arguments

ftp.eprt.args_invalid == 1

IPv4 address in EPRT command

ftp.eprt.ip == 10.0.0.5

IPv6 address in EPRT command

ftp.eprt.ipv6 == 2001:db8::1

Port number in EPRT command

ftp.eprt.port == 21000

Extended Passive Mode (EPSV)

Indicates invalid EPSV response arguments

ftp.epsv.args_invalid == 1/0

IPv4 address in EPSV response

ftp.epsv.ip == 192.168.1.10

IPv6 address in EPSV response

ftp.epsv.ipv6 == fe80::1

Port number provided in EPSV response

ftp.epsv.port == 21001

Passive Mode Configuration

Server IP address in passive mode PASV response

ftp.passive.ip == 203.0.113.1 

Indicates NAT translation in passive mode

ftp.passive.nat == 1

Server port number in PASV response

ftp.passive.port == 20010

Client Requests

Indicates packet contains an FTP request

ftp.request == 1/0

Arguments/parameters of FTP request command

ftp.request.arg == "anonymous"

Specific FTP command in request

ftp.request.command == "PASS"

Server Responses

Indicates packet contains an FTP server response

ftp.response == 1/0

Arguments/message text in server response

ftp.response.arg == "Login successful"

Numeric FTP response code from server

ftp.response.code == 220

Indicates invalid/malformed response code

ftp.response.code.invalid == 1/0

Indicates invalid PWD (Print Working Directory) response

ftp.response.pwd.invalid == 1/0

Frame number where FTP connection was established

ftp.setup-frame == 5

Current working directory on FTP server

ftp.current-working-directory == "/pub/files"