{"id":2095,"date":"2012-06-16T16:32:41","date_gmt":"2012-06-16T15:32:41","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=2095"},"modified":"2015-03-06T18:27:40","modified_gmt":"2015-03-06T18:27:40","slug":"useful-riverbed-steelhead-wireshark-filters","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=2095","title":{"rendered":"Useful Riverbed SteelHead Wireshark Filters"},"content":{"rendered":"<div class=\"content\">\n<p><strong>Useful Wireshark filters<\/strong><\/p>\n<p>To Find Inner channel splice setup: <code>rvbd.sport.setup.type eq 0x1<\/code><\/p>\n<p>Using Riverbed Wireshark 1.8.2 you can use a new feature to find all inner channel traffic for a conversation. You can for instance use the Inner channel splice setup filter <code>rvbd.sport.setup.type eq 0x1 <\/code>to display all splice setups or some other method.<\/p>\n<p>When you have identified the splice connection you are interested in you can then right click on the connection in Wireshark and choose the &#8216;Find the inner channel&#8217; option to try to locate the entire inner channel connection. You can also right click on any part of an optimised connection to obtain the same result.<\/p>\n<p><!--more--><\/p>\n<p><strong>Other filters<\/strong><\/p>\n<p>Checking for Oplock(Server): <tt>smb.cmd <code>= 0xa2 or smb.cmd =<\/code> 0x24<\/tt><\/p>\n<p>Filter based on 2 IP address (bothways) and 2 ports: <code>(ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX) and (tcp.port eq 3548 and tcp.port eq 80)<\/code><\/p>\n<p>Filter based on 2 IP address (bothways): <code>ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX<\/code><\/p>\n<p>IP Source: <tt>ip.src == XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>IP Destination: <tt>ip.dst == XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>IP Source and Destination: <tt>ip.src <code>= XXX.XXX.XXX.XXX and ip.dst =<\/code> XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>IP Source or Destination: <tt>ip.src <code>= XXX.XXX.XXX.XXX or ip.dst =<\/code> XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>Packet loss: <code>tcp.analysis.retransmission or tcp.analysis.fast_retransmission or tcp.analysis.lost_segment or tcp.analysis.duplicate_ack<\/code><\/p>\n<p>Slow SMB: <tt>smb.time &gt;= 0.02<\/tt><\/p>\n<p>SMB signing: <tt>smb &amp;&amp; smb.signature!=00:00:00:00:00:00:00:00<\/tt><\/p>\n<p>Destination ARP for IP address: <tt>arp.dst.proto_ipv4 == XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>Source ARP for IP address: <tt>arp.src.proto_ipv4 == XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>Destination ARP Source: <tt>arp.dst.hw_mac == XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>Source ARP Source: <tt>arp.src.hw_mac == XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>BGP Originator: <tt>bgp.originator_id == XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>BGP Next Hop: <tt>bgp.next_hop == XXX.XXX.XXX.XXX<\/tt><\/p>\n<p><a class=\"twikiLink\" href=\"https:\/\/twiki.nbttech.com\/twiki\/bin\/view\/NBT\/CDP\">CDP<\/a> TTL: <code>cdp.ttl<\/code><\/p>\n<p><a class=\"twikiLink\" href=\"https:\/\/twiki.nbttech.com\/twiki\/bin\/view\/NBT\/CDP\">CDP<\/a> TTL Length: <code>cdp.tlv.len<\/code><\/p>\n<p>DNS Authenticated Answer: <code>dns.flags.authenticated<\/code><\/p>\n<p>DNS Updates: <code>dns.count.updates<\/code><\/p>\n<p>DNS Response: <code>dns.response<\/code><\/p>\n<p>General use<\/p>\n<p>Filter on one type of IP address: <tt>ip.addr == XXX.XXX.XXX.XXX<\/tt><\/p>\n<p>Filter on two types of IP address: <code>ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX<\/code><\/p>\n<p>Filter on 2 IP address and 2 different TCP port, 3548 and 80: <code>(ip.addr eq XXX.XXX.XXX.XXX and ip.addr eq XXX.XXX.XXX.XXX) and (tcp.port eq 3548 and tcp.port eq 80)<\/code><\/p>\n<p>Non source-routed packets can be found with: <tt>tr.sr == 0<\/tt><\/p>\n<p>Ethernet addresses and byte arrays are represented by hex digits. The hex digits may be separated by colons, periods, or hyphens:<\/p>\n<p><tt>eth.dst eq ff:ff:ff:ff:ff:ff<\/tt><\/p>\n<p><tt>aim.data == 0.1.0.d<\/tt><\/p>\n<p><tt>fddi.src == aa-aa-aa-aa-aa-aa<\/tt><\/p>\n<p><tt>echo.data == 7a<\/tt><\/p>\n<p>IPv4 addresses can be represented in either dotted decimal notation or by using the hostname:<\/p>\n<p><tt>ip.dst eq www.mit.edu<\/tt><\/p>\n<p><tt>ip.src == 192.168.1.1<\/tt><\/p>\n<p>Autodiscovery and probe filters.<\/p>\n<p>Finding all probes and probe responses <code>Filter: tcp.options.rvbd.probe<\/code><br \/>\nFinding probes by CFE Filter: <code>tcp.options.rvbd.probe.prober == <code>XXX.XXX.XXX.XXX<\/code><\/code><br \/>\nFinding probe responses by SFE Filter: <code>tcp.options.rvbd.probe.proxy.ip == <code>XXX.XXX.XXX.XXX<\/code><\/code><\/p>\n<p>SYN+<\/p>\n<p><code>tcp.options contains 4c:a<\/code><\/p>\n<p>SYN-ACK+<\/p>\n<p><code>tcp.options contains 4c:e<\/code><\/p>\n<p>Extra probe response present (required for transparency)<\/p>\n<p><code>tcp.options contains 4c:4:e<\/code><\/p>\n<p>Transparency enabled in SYN-ACK+<\/p>\n<p>(this needs thorough testing) <code>tcp.options[-6:3] eq 4c:4:e and tcp.options[-3] &amp; c<\/code><\/p>\n<\/div>\n<p><!--more--><\/p>\n<p><!--more--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Useful Wireshark filters To Find Inner channel splice setup: rvbd.sport.setup.type eq 0x1 Using Riverbed Wireshark 1.8.2 you can use a new feature to find all inner channel traffic for a conversation. You can for instance use the Inner channel splice setup filter rvbd.sport.setup.type eq 0x1 to display all splice setups or some other method. When [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[27],"tags":[75,47,37],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2095"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2095"}],"version-history":[{"count":3,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2095\/revisions"}],"predecessor-version":[{"id":2166,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2095\/revisions\/2166"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2095"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}