Difference between revisions of "Wireshark"
m |
m (→Display Filter) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[https://www.wireshark.org/ Wireshark] is an incredible tool to analyze network traffic. | [https://www.wireshark.org/ Wireshark] is an incredible tool to analyze network traffic. | ||
| − | === Capture filtering === | + | ===Capture filtering=== |
See [https://wiki.wireshark.org/CaptureFilters CaptureFilters]. Syntax is different from display filters. | See [https://wiki.wireshark.org/CaptureFilters CaptureFilters]. Syntax is different from display filters. | ||
| Line 10: | Line 10: | ||
Typical filters are: | Typical filters are: | ||
| − | * <code>tcp and port 80</code> | + | *<code>tcp and port 80</code> |
| − | * <code>udp and (port 8000 or port 8002)</code> | + | *<code>udp and (port 8000 or port 8002)</code> |
| − | * <code>host 232.128.12.3</code> | + | *<code>host 232.128.12.3</code> |
| − | * <code>igmp</code> | + | *<code>igmp</code> |
| − | * <code>icmp</code> | + | *<code>icmp</code> |
| − | === Display Filter === | + | ===Display Filter=== |
See [https://wiki.wireshark.org/DisplayFilters DisplayFilters]. Syntax is different from capture filters. | See [https://wiki.wireshark.org/DisplayFilters DisplayFilters]. Syntax is different from capture filters. | ||
| Line 23: | Line 23: | ||
Typical filters are : | Typical filters are : | ||
| − | * <code>ip.addr==192.168.1.12</code> | + | *<code>ip.addr==192.168.1.12</code> |
| − | * <code>tcp.port==80</code> | + | *<code>tcp.port==80</code> |
| − | * <code>tcp.flags.push==1</code> | + | *<code>tcp.flags.push==1</code> |
| − | * <code>vlan && udp</code> | + | *<code>vlan && udp</code> |
| + | *<code>_ws.expert.severity</code> select packets with a detected error | ||
| + | |||
| + | ===Decoding=== | ||
| + | To choose a decoder, right-click on one packet, and choose "Decode as...". | ||
| + | |||
| + | Then select the field that will select the dissector (TCP port, UDP port, RTP payload type, ...), choose the value, and select the decoder in Current column. | ||
| + | |||
| + | Choose Save to keep the changes for next launch. | ||
===Adding dissectors=== | ===Adding dissectors=== | ||
| − | A dissector is a protocol analyzer. It can be written in LUA. | + | A dissector is a protocol analyzer. It can be written in [https://www.lua.org/ LUA]. |
You can put your lua scripts in | You can put your lua scripts in | ||
| Line 61: | Line 69: | ||
Use Tools->Dump MPEG TS Packets to export the MPEG-TS stream to a file. | Use Tools->Dump MPEG TS Packets to export the MPEG-TS stream to a file. | ||
| − | ===== UltraVox 2.1 (Shoutcast 2) ===== | + | =====UltraVox 2.1 (Shoutcast 2)===== |
[[:File:Uvox21.zip|uvox21.lua]] | [[:File:Uvox21.zip|uvox21.lua]] | ||
For TCP stream, use <code>UVOX21</code>. | For TCP stream, use <code>UVOX21</code>. | ||
| − | ===== ADTS ===== | + | =====ADTS===== |
[[:File:Adts.zip|adts.lua]] | [[:File:Adts.zip|adts.lua]] | ||
For UDP/TCP stream, use <code>ADTS</code>. | For UDP/TCP stream, use <code>ADTS</code>. | ||
Latest revision as of 09:45, 7 June 2024
Wireshark is an incredible tool to analyze network traffic.
Contents
Capture filtering
See CaptureFilters. Syntax is different from display filters.
To avoid big memory use, prefer filtering when capturing.
Use and or not and parenthesis to combine filters.
Typical filters are:
tcp and port 80udp and (port 8000 or port 8002)host 232.128.12.3igmpicmp
Display Filter
See DisplayFilters. Syntax is different from capture filters.
They can be created from packets : select a packet, right-click, and select as filter.
Typical filters are :
ip.addr==192.168.1.12tcp.port==80tcp.flags.push==1vlan && udp_ws.expert.severityselect packets with a detected error
Decoding
To choose a decoder, right-click on one packet, and choose "Decode as...".
Then select the field that will select the dissector (TCP port, UDP port, RTP payload type, ...), choose the value, and select the decoder in Current column.
Choose Save to keep the changes for next launch.
Adding dissectors
A dissector is a protocol analyzer. It can be written in LUA.
You can put your lua scripts in
- Linux:
$HOME/.config/wireshark - Windows:
%AppData%\Wireshark\pluginsor%ProgramFiles%\Wireshark\plugins(folders are shown in Help–>About Wireshark–>Folders)
For Linux, you need to add a init.lua script that will load them with dofile("myfile.lua"), in Windows it loads all present in the folder.
In recent versions of Wireshark, LUA bitop can be used directly.
Useful dissectors
ST2026
Select the "RTP Payload type" to ST2022-6 for ProMPEG FEC.
The stream must be first decoded as RTP.
ULP-FEC (RFC 5109)
Select the "RTP Payload type" to ULPFEC for RFC 5109 FEC.
The stream must be first decoded as RTP.
MPEG-TS Dump
Use Tools->Dump MPEG TS Packets to export the MPEG-TS stream to a file.
UltraVox 2.1 (Shoutcast 2)
For TCP stream, use UVOX21.
ADTS
For UDP/TCP stream, use ADTS.
