ProductsLogo
LogoStudy Documents
LogoAI Grader
LogoAI Answer
LogoAI Code Checker
LogoPlagiarism Checker
LogoAI Paraphraser
LogoAI Quiz
LogoAI Detector
PricingBlogAbout Us
logo

Wireshark Capture Filters Assignment

Verified

Added on  2020/02/24

|8
|855
|41
AI Summary
This assignment focuses on understanding and utilizing Wireshark's powerful capture filter functionality. Students will explore concepts like promiscuous mode, different filter types (BPF qualifiers), logical operators (AND, OR, XOR), capturing traffic based on source/destination addresses, ports, protocols, and excluding specific traffic. Real-world examples illustrate how to apply these filters for network analysis.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
Running Head: ITECH1003 NETWORKING ASSIGNMENT
Wireshark Capture Filter assignment
[Student Name]
[University Name]

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
1ITECH1003 NETWORKING ASSIGNMENT
Table of Contents
Part 1 – Wireshark and traffic capture basics.............................................................................2
Part 2 capture filters...................................................................................................................3
BPF qualifiers.........................................................................................................................3
Documenting the 3 logical operators for combining primitives............................................4
Capturing traffic from/to another machine............................................................................4
Excluding particular network traffic......................................................................................6
Using port numbers in capture filters.....................................................................................6
Document Page
2ITECH1003 NETWORKING ASSIGNMENT
Part 1 – Wireshark and traffic capture basics
promiscuous mode: promiscuous mode is a mode in Wireshark where network
adapter received and read all data packets. This mode must be supported by both the network
adapter in addition to the host system input and output driver.
The Capture > Options dialog allow to convert the DNS in to IP address. With the
help of this IP address the Wireshark can show the packets for the specific IP address.
Switch and hub mainly have the same functionality but it has few difference. Switch
connect all the network segment in a single LAN. But Hub connect all the computer together
and every single device act as a single network segment. Switch has the functionality to limit
the traffic and it will not visible in the Wireshark.
Port Number
Protocol Port number
FTP Data 20
FTP Control 21
HTTP 80
NTP 123
SSH 22
SMTP used port 25 for transferring mail. It is a simple mail transfer protocol.
DHCP used port 67/68. DCHP is used to allocate IP address to a network
dynamically.
HTTPS use pot 443. It is performing the same functionality as HTTP with more
secure connection by adding SSL or TTL.
Document Page
3ITECH1003 NETWORKING ASSIGNMENT
SNMP use port 161/162. SNMP is simple network management protocol for using
networking administrative purpose.
IMAP use port 143 for retrieve mail from server.
POP3 use port 110 for retrieve mail from server.
Part 2 capture filters
BPF qualifiers
Type – This qualifier says that the ID name type or the number refers to.
Dir – This qualifier says that a particular transfer direction from and to.
Proto – This BPF qualifiers use to limit the match to a specific protocol.
Example –
Host 192.168.10.2 – it will show only the packets where host is 192.168.10.2
Dst 192.168.10.2 – it will show the packets which destination address is 192.168.10.2
Port 80 – It will show the packets of the port number 80
Src 192.168.10.2 – it will show only packets which source address is 192.168.10.2
Ip 192.168.10.2 – It will show only the packets associated with the ip address
192.168.10.2
Ether host 192.168.10.2 – it shows only packets those are capture from this Ethernet
port.
tcp[13] == 18 – TCP SYN-ACK packets
udp port sip - should capture UDP traffic to and from that port

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
4ITECH1003 NETWORKING ASSIGNMENT
http – its shows only http packets
Documenting the 3 logical operators for combining primitives
Operation Name Description Example
And (&&) Logical AND ip.src==10.0.0.5 and
tcp.flags.fin
Or (||) Logical OR ip.scr==10.0.0.5 or
ip.src==192.1.1.1
Xor (^^) Logical XOR tr.dst[0:3] == 0.6.29 xor
tr.src[0:3] == 0.6.29
Capturing traffic from/to another machine
Capture Traffic between two computer
ip.addr == 192.168.1.11 && ip.addr == 192.168.2.21
The above filter is used to capture packets between two computers. The ip.add is used to
define two different computer IP address and the && is used to and logical operation.
Using MAC address
Document Page
5ITECH1003 NETWORKING ASSIGNMENT
ip.addr == 192.168.1.11 && eth.dst == 08:00:27:01:54:56
This filter type is also same as previous address only in the destination section filter is
changed for MAC address. For destination MAC address filter is eth.dst == MAC address.
Capture packets from remote Ip address
ip.addr == 192.168.2.21
Capture only ICMP
icmp
Document Page
6ITECH1003 NETWORKING ASSIGNMENT
The above picture shows all the ICMP packets those are capture.
Excluding particular network traffic
Capture Broadcast traffic only - bmc.broadcast_address
Bmc is used to shows the broadcast address packets
Exclude Broadcast traffic only - !( bmc.broadcast_address)
Exclamation mark is used for not equals and it will show all the packets exclude all the
broadcast traffic.
Capture all traffic from a range of network addresses but exclude broadcast traffic
net ipaddress/netmusk and !bmc.broadcast_address
net command is used to capture all the traffic from a range of IP address and letter part of the
above filter and operation used to add another filter in the same capture. End filter is used to
exclude all the broadcast traffic.
Using port numbers in capture filters
DNS traffic - port 53
Port 53 filter only shows the DNS traffic those are use port 53
DNS traffic being sent from your machine – host ip address port 53
Host is use for main IP address and port 53 is used for shows only DNS traffic.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
7ITECH1003 NETWORKING ASSIGNMENT
DHCP traffic in either direction - port 67 or port 68
Port 67 and 68 is used for shows all the DHCP traffic in either direction.
1 out of 8
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]