Daren Matthews

Useful Wireshark filters

To Find Inner channel splice setup: rvbd.sport.setup.type eq 0x1

Using Riverbed Wireshark 1.8.2 you can use a new feature to find all inner channel traffic for a conversation. You can for instance use the Inner channel splice setup filter rvbd.sport.setup.type eq 0x1 to display all splice setups or some other method.

When you have identified the splice connection you are interested in you can then right click on the connection in Wireshark and choose the ‘Find the inner channel’ option to try to locate the entire inner channel connection. You can also right click on any part of an optimised connection to obtain the same result.

Other filters

Checking for Oplock(Server): smb.cmd = 0xa2 or smb.cmd = 0x24

Filter based on 2 IP address (bothways) and 2 ports: (ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX) and (tcp.port eq 3548 and tcp.port eq 80)

Filter based on 2 IP address (bothways): ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX

IP Source: ip.src == XXX.XXX.XXX.XXX

IP Destination: ip.dst == XXX.XXX.XXX.XXX

IP Source and Destination: ip.src = XXX.XXX.XXX.XXX and ip.dst = XXX.XXX.XXX.XXX

IP Source or Destination: ip.src = XXX.XXX.XXX.XXX or ip.dst = XXX.XXX.XXX.XXX

Packet loss: tcp.analysis.retransmission or tcp.analysis.fast_retransmission or tcp.analysis.lost_segment or tcp.analysis.duplicate_ack

Slow SMB: smb.time >= 0.02

SMB signing: smb && smb.signature!=00:00:00:00:00:00:00:00

Destination ARP for IP address: arp.dst.proto_ipv4 == XXX.XXX.XXX.XXX

Source ARP for IP address: arp.src.proto_ipv4 == XXX.XXX.XXX.XXX

Destination ARP Source: arp.dst.hw_mac == XXX.XXX.XXX.XXX

Source ARP Source: arp.src.hw_mac == XXX.XXX.XXX.XXX

BGP Originator: bgp.originator_id == XXX.XXX.XXX.XXX

BGP Next Hop: bgp.next_hop == XXX.XXX.XXX.XXX

CDP TTL: cdp.ttl

CDP TTL Length: cdp.tlv.len

DNS Authenticated Answer: dns.flags.authenticated

DNS Updates: dns.count.updates

DNS Response: dns.response

General use

Filter on one type of IP address: ip.addr == XXX.XXX.XXX.XXX

Filter on two types of IP address: ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX

Filter on 2 IP address and 2 different TCP port, 3548 and 80: (ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX) and (tcp.port eq 3548 and tcp.port eq 80)

Non source-routed packets can be found with: tr.sr == 0

Ethernet addresses and byte arrays are represented by hex digits. The hex digits may be separated by colons, periods, or hyphens:

eth.dst eq ff:ff:ff:ff:ff:ff

aim.data == 0.1.0.d

fddi.src == aa-aa-aa-aa-aa-aa

echo.data == 7a

IPv4 addresses can be represented in either dotted decimal notation or by using the hostname:

ip.dst eq www.mit.edu

ip.src == 192.168.1.1

Autodiscovery and probe filters.

Finding all probes and probe responses Filter: tcp.options.rvbd.probe
Finding probes by CFE Filter: tcp.options.rvbd.probe.prober == XXX.XXX.XXX.XXX
Finding probe responses by SFE Filter: tcp.options.rvbd.probe.proxy.ip == XXX.XXX.XXX.XXX

SYN+

tcp.options contains 4c:a

SYN-ACK+

tcp.options contains 4c:e

Extra probe response present (required for transparency)

tcp.options contains 4c:4:e

Transparency enabled in SYN-ACK+

(this needs thorough testing) tcp.options[-6:3] eq 4c:4:e and tcp.options[-3] & c