These are capture filters, not display filters, and are equally applicable to Wireshark, tshark and tcpdump, since they all use the same pcap filter syntax. In wireshark the capture filter options are now hidden away and you have to double click on the interface under capture options to set or adjust the filter string.
The filters are broadly grouped by purpose and I will try to add more as I think of them. Please comment if there is something you think I have missed or would like added.
Note: if you want to strip off VLAN, MPLS, PPPoE or GRE headers from an existing pcap file, please see this post: Removing VLAN/MPLS/PPPoE/GRE Encapsulation
Ethernet
Match 802.1D spanning tree:"ether dst 01:00:c2:00:00:00" (manpages say "ether proto stp" but I've had trouble with that)
Match Cisco PVST+:
"ether dst 01:00:0c:cc:cc:cd"
Match Cisco CDP / VTP / DTP / PAgP / UDLD:
"ether dst 01:00:0c:cc:cc:cc"
Match LLDP:
"ether proto 0x88cc"
Match LACP (slow protocols):
"ether dst 01:80:c2:00:00:02"
General IP
Match host A (10.0.0.1) communicating with host B (192.168.0.1):
"host 10.0.0.1 && host 192.168.0.1"
Match host A (10.0.0.1) communicating with anything on network B (192.168.0.0/24):
"host 10.0.0.1 && net 192.168.0.0/24"
or, if you don't like CIDR notation:
"host 10.0.0.1 && net 192.168.0.0 mask 255.255.255.0"
Match ARP:
"ether proto 0x0806"
Match DHCP:"udp port 67 || udp port 68"
VLANs
Match any traffic with at least one VLAN tag:"vlan"
Match traffic with exactly one VLAN tag:
"vlan && not vlan"
Match traffic with an SVLAN of 100 and any CVLAN:
"vlan 100 && vlan"
Match traffic where the first VLAN tag has an 802.1p marking of:
0: "vlan && ether[14] & 224 == 0"
1: "vlan && ether[14] & 224 == 32"
2: "vlan && ether[14] & 224 == 64"
3: "vlan && ether[14] & 224 == 96"
4: "vlan && ether[14] & 224 == 128"
5: "vlan && ether[14] & 224 == 160"
6: "vlan && ether[14] & 224 == 192"
7: "vlan && ether[14] & 224 == 224"
Note: to match the second VLAN tag use "vlan && vlan && ether[18] & 224" on the left hand side of the equality.
MPLS
Match traffic with at least one MPLS label:"mpls"
Match traffic with exactly one MPLS label (match S bit of first label):
"mpls && ether[16] & 1 == 1"
Match traffic with a first or single label of 12345:
"mpls 12345"
Match traffic with an inner (e.g. service) label of 67890:
"mpls && mpls 67890"
Match traffic with exactly three MPLS labels (e.g. traffic on facility bypass FRR):
"mpls && mpls && mpls && ether[24] & 1 == 1"
Match 6PE traffic:
With transport label: "mpls && mpls 2"
Without transport label (after PHP): "mpls 2"
Match traffic with an EXP marking (on the first label) of:
0: "mpls && ether[16] & 14 == 0"
1: "mpls && ether[16] & 14 == 2"
2: "mpls && ether[16] & 14 == 4"
3: "mpls && ether[16] & 14 == 6"
4: "mpls && ether[16] & 14 == 8"
5: "mpls && ether[16] & 14 == 10"
6: "mpls && ether[16] & 14 == 12"
7: "mpls && ether[16] & 14 == 14"
Note: to match the EXP marking of the second label, use "mpls && mpls && ether[20] & 14" on the left hand side of the equality.
Multicast
Match any Ethernet multicast:"ether multicast"
Match IP multicast traffic:
"ip multicast"
Match IGMP traffic:
"ip proto 2" (the manpages say "ip proto igmp" but I've had trouble with that)
Match PIM traffic:
"ip proto 0x67" (the manpages say "ip proto pim" but I've had trouble with that)
OSPFv2
Match all OSPF:"ip proto 89"
Match specific OSPF packet types:
Hello: "ip proto 89 && ip[20:2] == 0x0201"
DBD: "ip proto 89 && ip[20:2] == 0x0202"
LSR: "ip proto 89 && ip[20:2] == 0x0203"
LSU: "ip proto 89 && ip[20:2] == 0x0204"
LSA: "ip proto 89 && ip[20:2] == 0x0205"
IS-IS
Match all IS-IS traffic:"isis"
Match specific IS-IS PDU types:
"l1", "l2", "iih", "lsp", "snp", "csnp" or "psnp"
BGP
Note: These rules do not handle multi-segment messages very well but they are good enough for most purposes.Match only BGP OPEN messages:
"tcp port 179 && tcp[50] == 1"
Match only BGP UPDATE messages:
"tcp port 179 && tcp[50] & 5 != 0"
Match only BGP NOTIFICATION messages:
"tcp port 179 && tcp[50] == 3"
Match only BGP KEEPALIVE messages:
"tcp port 179 && tcp[50] == 4"
L2TP
Match only L2TP control messages:"udp port 1701 && udp[8:2] & 0x80ff == 0x8002"
Match L2TP control messages for tunnel ID 1234:
"udp port 1701 && udp[8:2] & 0x80ff == 0x8002 && udp[12:2] == 1234"
Match L2TP data messages for tunnel ID 1234:
"udp port 1701 && udp[8:2] & 0x80ff == 0x0002 && udp[10:2] == 1234"
Match L2TP control messages for session ID 5678:
"udp port 1701 && udp[8:2] & 0x80ff == 0x8002 && udp[14:2] == 5678"
Match L2TP data messages for session ID 5678:
"udp port 1701 && udp[8:2] & 0x80ff == 0x0002 && udp[12:2] == 5678"
PPPoE
Note: Offsets will need to be manually increased by 4 bytes for each VLAN tag or MPLS label present.Match PPPoE discovery phase (PADI / PADO / PADR / PADS / PADT):
"pppoed"
Match PPPoE session phase (i.e. PPP traffic):
"pppoes"
Match PPPoE LCP messages:
"pppoes && ether[20:2] == 0xc021"
Match PPPoE CHAP authentication messages:
"pppoes && ether[20:2] == 0xc223"
No comments:
Post a Comment