SCHOOL OF COMPUTER SCIENCE AND ENGINEERING

Fall Semester 2020-21

Course Code: CSE4004 Programme: B.Tech

Course Name: Digital Forensics Faculty: Aju D
Slot: L25 + L26

Topic
Filters in Wireshark

Name: ROBIN SAH

Reg. No.: 18BCE2462 Date of Submission: 02-10-2020
1. Aim of the exercise.
Ans: The aim of the exercise is to use examples of Windows infection traffic from
commodity malware distributed through mass-distribution methods like
malicious spam (malspam) or web traffic. These infections can follow many
different paths before the malware, usually a Windows executable file, infects a
Windows host. Indicators consist of information derived from network traffic that
relates to the infection. These indicators are often referred to as Indicators of
Compromise (IOCs). Security professionals often document indicators related to
Windows infection traffic such as URLs, domain names, IP addresses, protocols,
and ports. Proper use of the Wireshark display filter can help people quickly find
these indicators.

The Wireshark Display Filter

Wireshark’s display filter a bar located right above the column display section.
This is where we type expressions to filter the frames, IP packets, or TCP
segments that Wireshark displays from a pcap.

If we type anything in the display filter, Wireshark offers a list of suggestions

based on the text we have typed. While the display filter bar remains red, the
expression is not yet accepted. If the display filter bar turns green, the expression
has been accepted and should work properly. If the display filter bar turns yellow,
the expression has been accepted, but it will probably not work as intended.
Wireshark’s display filter uses Boolean expressions, so you can specify values
and chain them together. The following expressions are commonly used:

• Equals: == or eq
• And: && or and
• Or: || (double pipe) or or

Filters for Web-Based Infection Traffic

In the pcap, the user was on a Windows 10 computer using Microsoft’s Edge web
browser. Filtering on http.request or ssl.handshake.type == 1 outlines the flow of
events for this web traffic.
Capturing Filters

After downloading and installing Wireshark, we can launch it and double-click

the name of a network interface under Capture to start capturing packets on that
interface.
As soon as we click the interface’s name, you’ll see the packets start to appear in
real time. Wireshark captures each packet sent to or from your system.

Click the red “Stop” button near the top left corner of the window when we want
to stop capturing traffic.
Filtering Packets

If we’re trying to inspect something specific, such as the traffic a program sends
when phoning home, it helps to close down all other applications using the
network so you can narrow down the traffic.

The most basic way to apply a filter is by typing it into the filter box at the top of
the window and clicking Apply (or pressing Enter).
2. Conclusion

Ans: Wireshark is a powerful tool: it allows us to see what’s going on in a

network. To do that, it shows us all the traffic we send and receive on a Network
interface. However, as we have seen, it literally collects all the traffic. Therefore,
we will have to deal with tons of information, particularly in a production
network. This can quickly become messy unless we use a Wireshark Filter. These
Wireshark filters tell the software what we want to see, hiding everything else.