Mobile Malware threats and detection mechanism

Mobile Malware threats and detection mechanism

Rakib AminMehedee ZamanTazrian Siddiqui

Supervisor

Dr. M Shohrab Hossain

Presentation on

Wireshark’s Display Filter :How do we use it?

Rakib [email protected]

// Special Note

This is an implementation based tutorial on Display Filters only (You should be familiar with Wireshark

already). Most slides will be containing

screenshots.For documentation, visit

http://wiki.wireshark.org

Module 1

Understanding Captures

Screenshot of a .pcap file inside Wireshark showing a capture

All packets following http protocol are listed for “http”

background becomes red when a non-existent filter string is entered

Module 2.1

Creating Filter strings forDisplay Filters

Display filters let you compare the fields within a protocol against a specific value, compare fields against fields, and check the existence of specified fields or protocols.

Comparison operators: Fields can also be compared against values. The comparison operators can be expressed either through English-like abbreviations or through C-like symbols.

eq, == Equal

ne, != Not Equal

gt, > Greater than

lt, < Less than

ge, >= Greater than or Equal to

le, <= Less than or Equal to

All packets with frame length equal to 100

All packets with http “GET” request

Logical expressions:Tests can be combined using logical expressions. These too are expressible in C-like syntax or with English-like abbreviations:

and, && Logical AND

or, || Logical OR

not, ! Logical NOT

Example : tcp.port == 80 and ip.src == 192.168.2.1

All packets with TCP Port No 80 and from 50.16.247.204

/* Complete reference for creating filter strings */

In the Menu bar Help -> ManualPages -> Wireshark Filter

or,https://www.wireshark.org/docs/dfref/

A list of Frequently Used Display Filter Strings is given in the FUDF slide

Module 2.2

Creating a new Display Filter inside Wireshark

In the menu bar: Analyze -> Display Filters...

New button <*> type in Filter name and string (using syntax from previous slides), hit Enter.

In the Filter bar -> Expression…Check for expressions.

Select a field-relation-value, hit OK.

The filter is in the Filter window as a filter string.

Module 3

Advanced Display Filters

Just select a packet, Right ClickAnd you can use that value as a filter (ip.src==10.128.223.139) Other options provide ANDing, ORing, ANDNOTing etc. with existing filter strings.

Conversation Filter takes the selected addresses and filter out only their conversation packets.

Bonus

Advanced Conversation

Another interesting thing you can do is right-click a packet and select Follow TCP Stream.

You’ll see the full conversation between the client and the server and in the capture window only those packets.

TCP Conversation:It is useful when we are looking for passwords in a

Telnet stream, or are trying to make sense of a data stream. Wireshark will set an appropriate display filter and pop up a dialog box with all the data from the TCP stream laid out in order.

The stream content is displayed in the same sequence as it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue.

Bonus

Add as a Column

Select a parameter from a packet description, Right Click, Apply as column to take it as a column in the packet list.

Bonus

I/O and Flow Graphs

Menu bar: Statistics -> I/O Graph

Statistics -> Flow Graph…Filter: A<->B or A<->C

A/B/C ip addresses

// Summary

We discussed –

Understanding Captures Creating Filter strings for Display Filters Creating a new Display Filter inside Wireshark Advanced Display Filters

// Reference

I am indebted to –

CBT Nuggets Wireshark with Keith Barker http://wiki.wireshark.org How-to-geeks community.

Frequently Used Display Filters:

Filter Strings Description

ip.src==8.8.8.8 Look for specific source through IP

http or tcp Only HTTP/TCP packets

tcp.port==80 Look for packets through port 80

http.request.method == “GET”

Only GET request packets

http.response.phrase contains “contacts”

Packets containing word “contacts”

ip.opt.ohc < 10 Outbound hopcounts < 10

bgp.nexthop ==8.8.8.8 Border Gateway Protocol Next Hop search

ftp.active.port Only active FTP Client PORT

wlan.addr == 8.8.8.8 Checks Hardware Address (IEEE 802.11)

dns.resp.type DNS Response Type

udp.destport UDP Destination PORT

tcp.stream All conversations

Frequently Used Display Filters:

Filter Strings Description

arp.dst.hw_mac ARP Target MAC Address

udp.length == 37 Check UDP packet Length

frame.time == "Aug 17, 2014 00:56:14.935620000"

Check Frame Arrival Time

dns.flags == 0x8180 DNS Flag Check (Std. Query Response)

dns.resp.addr == 54.241.179.41

DNS Response Address

ip.proto == 17/”udp” UDP/TCP protocol check (17=UDP)

icmp.type == 3 Internet Control Message Protocol type (3 = dst. unreachable )

ssl.handshake.type == 1 Secure Socket Layer Handshake type (1 = Client Hello, 11 )

Thank you.