Useful Riverbed SteelHead Wireshark Filters
Useful Wireshark filters
To Find Inner channel splice setup: rvbd.sport.setup.type eq 0x1
Using Riverbed Wireshark 1.8.2 you can use a new feature to find all inner channel traffic for a conversation. You can for instance use the Inner channel splice setup filter rvbd.sport.setup.type eq 0x1
to display all splice setups or some other method.
When you have identified the splice connection you are interested in you can then right click on the connection in Wireshark and choose the ‘Find the inner channel’ option to try to locate the entire inner channel connection. You can also right click on any part of an optimised connection to obtain the same result.
Other filters
Checking for Oplock(Server): smb.cmd = 0xa2 or smb.cmd =
0x24
Filter based on 2 IP address (bothways) and 2 ports: (ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX) and (tcp.port eq 3548 and tcp.port eq 80)
Filter based on 2 IP address (bothways): ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX
IP Source: ip.src == XXX.XXX.XXX.XXX
IP Destination: ip.dst == XXX.XXX.XXX.XXX
IP Source and Destination: ip.src = XXX.XXX.XXX.XXX and ip.dst =
XXX.XXX.XXX.XXX
IP Source or Destination: ip.src = XXX.XXX.XXX.XXX or ip.dst =
XXX.XXX.XXX.XXX
Packet loss: tcp.analysis.retransmission or tcp.analysis.fast_retransmission or tcp.analysis.lost_segment or tcp.analysis.duplicate_ack
Slow SMB: smb.time >= 0.02
SMB signing: smb && smb.signature!=00:00:00:00:00:00:00:00
Destination ARP for IP address: arp.dst.proto_ipv4 == XXX.XXX.XXX.XXX
Source ARP for IP address: arp.src.proto_ipv4 == XXX.XXX.XXX.XXX
Destination ARP Source: arp.dst.hw_mac == XXX.XXX.XXX.XXX
Source ARP Source: arp.src.hw_mac == XXX.XXX.XXX.XXX
BGP Originator: bgp.originator_id == XXX.XXX.XXX.XXX
BGP Next Hop: bgp.next_hop == XXX.XXX.XXX.XXX
CDP TTL: cdp.ttl
CDP TTL Length: cdp.tlv.len
DNS Authenticated Answer: dns.flags.authenticated
DNS Updates: dns.count.updates
DNS Response: dns.response
General use
Filter on one type of IP address: ip.addr == XXX.XXX.XXX.XXX
Filter on two types of IP address: ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX
Filter on 2 IP address and 2 different TCP port, 3548 and 80: (ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX) and (tcp.port eq 3548 and tcp.port eq 80)
Non source-routed packets can be found with: tr.sr == 0
Ethernet addresses and byte arrays are represented by hex digits. The hex digits may be separated by colons, periods, or hyphens:
eth.dst eq ff:ff:ff:ff:ff:ff
aim.data == 0.1.0.d
fddi.src == aa-aa-aa-aa-aa-aa
echo.data == 7a
IPv4 addresses can be represented in either dotted decimal notation or by using the hostname:
ip.dst eq www.mit.edu
ip.src == 192.168.1.1
Autodiscovery and probe filters.
Finding all probes and probe responses Filter: tcp.options.rvbd.probe
Finding probes by CFE Filter: tcp.options.rvbd.probe.prober ==
XXX.XXX.XXX.XXX
Finding probe responses by SFE Filter: tcp.options.rvbd.probe.proxy.ip ==
XXX.XXX.XXX.XXX
SYN+
tcp.options contains 4c:a
SYN-ACK+
tcp.options contains 4c:e
Extra probe response present (required for transparency)
tcp.options contains 4c:4:e
Transparency enabled in SYN-ACK+
(this needs thorough testing) tcp.options[-6:3] eq 4c:4:e and tcp.options[-3] & c