Skip to content

Wireshark

Wireshark) is the new name for what was Ethereal. It is a graphical packet sniffer that uses the same libraries as tcpdump.

Display Filters

Display filters have their own syntax, whereas capture filters use tcpdump syntax.

See also: https://www.wireshark.org/docs/man-pages/wireshark-filter.html

Filter by packet data content

Display all packets that contain "foo" in the data section:

data contains foo

contains is a simple substring match, whereas matches is a Perl compatible regex.

Display hosts within a given subnet

ip.addr == 10.57.8.244/30

Display data within a port range

To see all ceph-osd data

tcp.port >= 6800 and tcp.port <= 7300

Show only dns traffic about a certain host

dns.qry.name contains www.rmi.net || dns.resp.name contains www.rmi.net

Show all dns queries that do not have a response

In order for this to work you must perform the capture on the client side, or capture traffic from all DNS servers and combine it.

dns && (dns.flags.response == 0) && ! dns.response_in

IO graphing

Within the Statistic -> IO Graph window, you can create graphs that illustrate trends in traffic

DNS response time stats

Create graphs that have the following data:

Graph Name Display Filter Style Y Axis Y Field SMA Period
AVG DNS Time dns line AVG(Y Field) dns.time 10 interval SMA
MAX DNS Time dns line MAX(Y Field) dns.time 10 interval SMA
MIN DNS Time dns line MIN(Y Field) dns.time 10 interval SMA

See also