Difference between revisions of "Wireshark"
(Created) |
m (→Display Filter) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[https://www.wireshark.org/ Wireshark] is an incredible tool to analyze network traffic. | [https://www.wireshark.org/ Wireshark] is an incredible tool to analyze network traffic. | ||
| − | === Adding dissectors === | + | ===Capture filtering=== |
| − | A dissector is a protocol analyzer. It can be written in LUA. | + | See [https://wiki.wireshark.org/CaptureFilters CaptureFilters]. Syntax is different from display filters. |
| + | |||
| + | To avoid big memory use, prefer filtering when capturing. | ||
| + | |||
| + | Use <code>and</code> <code>or</code> <code>not</code> and parenthesis to combine filters. | ||
| + | |||
| + | Typical filters are: | ||
| + | |||
| + | *<code>tcp and port 80</code> | ||
| + | *<code>udp and (port 8000 or port 8002)</code> | ||
| + | *<code>host 232.128.12.3</code> | ||
| + | *<code>igmp</code> | ||
| + | *<code>icmp</code> | ||
| + | |||
| + | ===Display Filter=== | ||
| + | See [https://wiki.wireshark.org/DisplayFilters DisplayFilters]. Syntax is different from capture filters. | ||
| + | |||
| + | They can be created from packets : select a packet, right-click, and select as filter. | ||
| + | |||
| + | Typical filters are : | ||
| + | |||
| + | *<code>ip.addr==192.168.1.12</code> | ||
| + | *<code>tcp.port==80</code> | ||
| + | *<code>tcp.flags.push==1</code> | ||
| + | *<code>vlan && udp</code> | ||
| + | *<code>_ws.expert.severity</code> select packets with a detected error | ||
| + | |||
| + | ===Decoding=== | ||
| + | To choose a decoder, right-click on one packet, and choose "Decode as...". | ||
| + | |||
| + | Then select the field that will select the dissector (TCP port, UDP port, RTP payload type, ...), choose the value, and select the decoder in Current column. | ||
| + | |||
| + | Choose Save to keep the changes for next launch. | ||
| + | |||
| + | ===Adding dissectors=== | ||
| + | A dissector is a protocol analyzer. It can be written in [https://www.lua.org/ LUA]. | ||
You can put your lua scripts in | You can put your lua scripts in | ||
| − | * Linux: <code>$HOME/.config/wireshark</code> | + | *Linux: <code>$HOME/.config/wireshark</code> |
| − | * Windows: <code>%AppData%\Wireshark\plugins</code> or <code>%ProgramFiles%\Wireshark\plugins</code> (folders are shown in Help–>About Wireshark–>Folders) | + | *Windows: <code>%AppData%\Wireshark\plugins</code> or <code>%ProgramFiles%\Wireshark\plugins</code> (folders are shown in Help–>About Wireshark–>Folders) |
For Linux, you need to add a <code>init.lua</code> script that will load them with <code>dofile("myfile.lua")</code>, in Windows it loads all present in the folder. | For Linux, you need to add a <code>init.lua</code> script that will load them with <code>dofile("myfile.lua")</code>, in Windows it loads all present in the folder. | ||
| Line 13: | Line 48: | ||
In recent versions of Wireshark, LUA [https://bitop.luajit.org bitop] can be used directly. | In recent versions of Wireshark, LUA [https://bitop.luajit.org bitop] can be used directly. | ||
| − | === Useful dissectors === | + | ====Useful dissectors==== |
| − | ==== ST2026 ==== | + | =====ST2026===== |
[[:File:ST2022 Dissector.zip|ST2022_Dissector.lua]] | [[:File:ST2022 Dissector.zip|ST2022_Dissector.lua]] | ||
| − | Select the "RTP Payload type" | + | Select the "RTP Payload type" to <code>ST2022-6</code> for ProMPEG FEC. |
| − | ==== | + | The stream must be first decoded as RTP. |
| + | |||
| + | =====ULP-FEC (<nowiki>RFC 5109</nowiki>)===== | ||
[[:File:Ulpfec.zip|ulpfec.lua]] | [[:File:Ulpfec.zip|ulpfec.lua]] | ||
| − | Select the "RTP Payload type" | + | Select the "RTP Payload type" to <code>ULPFEC</code> for RFC 5109 FEC. |
| − | ==== MPEG-TS Dump ==== | + | The stream must be first decoded as RTP. |
| + | |||
| + | =====MPEG-TS Dump===== | ||
[[:File:Mpeg packets dump.zip|mpeg_packets_dump.zip]] | [[:File:Mpeg packets dump.zip|mpeg_packets_dump.zip]] | ||
Use Tools->Dump MPEG TS Packets to export the MPEG-TS stream to a file. | Use Tools->Dump MPEG TS Packets to export the MPEG-TS stream to a file. | ||
| + | |||
| + | =====UltraVox 2.1 (Shoutcast 2)===== | ||
| + | [[:File:Uvox21.zip|uvox21.lua]] | ||
| + | |||
| + | For TCP stream, use <code>UVOX21</code>. | ||
| + | |||
| + | =====ADTS===== | ||
| + | [[:File:Adts.zip|adts.lua]] | ||
| + | |||
| + | For UDP/TCP stream, use <code>ADTS</code>. | ||
Latest revision as of 09:45, 7 June 2024
Wireshark is an incredible tool to analyze network traffic.
Contents
Capture filtering
See CaptureFilters. Syntax is different from display filters.
To avoid big memory use, prefer filtering when capturing.
Use and or not and parenthesis to combine filters.
Typical filters are:
tcp and port 80udp and (port 8000 or port 8002)host 232.128.12.3igmpicmp
Display Filter
See DisplayFilters. Syntax is different from capture filters.
They can be created from packets : select a packet, right-click, and select as filter.
Typical filters are :
ip.addr==192.168.1.12tcp.port==80tcp.flags.push==1vlan && udp_ws.expert.severityselect packets with a detected error
Decoding
To choose a decoder, right-click on one packet, and choose "Decode as...".
Then select the field that will select the dissector (TCP port, UDP port, RTP payload type, ...), choose the value, and select the decoder in Current column.
Choose Save to keep the changes for next launch.
Adding dissectors
A dissector is a protocol analyzer. It can be written in LUA.
You can put your lua scripts in
- Linux:
$HOME/.config/wireshark - Windows:
%AppData%\Wireshark\pluginsor%ProgramFiles%\Wireshark\plugins(folders are shown in Help–>About Wireshark–>Folders)
For Linux, you need to add a init.lua script that will load them with dofile("myfile.lua"), in Windows it loads all present in the folder.
In recent versions of Wireshark, LUA bitop can be used directly.
Useful dissectors
ST2026
Select the "RTP Payload type" to ST2022-6 for ProMPEG FEC.
The stream must be first decoded as RTP.
ULP-FEC (RFC 5109)
Select the "RTP Payload type" to ULPFEC for RFC 5109 FEC.
The stream must be first decoded as RTP.
MPEG-TS Dump
Use Tools->Dump MPEG TS Packets to export the MPEG-TS stream to a file.
UltraVox 2.1 (Shoutcast 2)
For TCP stream, use UVOX21.
ADTS
For UDP/TCP stream, use ADTS.
