Wireshark Display Filters for Common Protocols
advertisement
Wireshark Display Filters for Common Protocols HTTP - Hypertext Transfer Protocol (http) Command http.notification http.response http.request http.authbasic http.request.method http.request.uri http.request.version http.response.code http.authorization http.proxy_authenticate http.proxy_authorization http.proxy_connect_host http.proxy_connect_port http.www_authenticate http.content_type http.content_length http.content_encoding http.transfer_encoding http.user_agent http.host http.connection http.cookie http.accept http.referer http.accept_language == 33 fields : Parameter Parameter Type Notification Response Request Credentials Request Method Request URI Request Version Response Code Authorization Proxy-Authenticate Proxy-Authorization Proxy-Connect-Hostname Proxy-Connect-Port WWW-Authenticate Content-Type Content-Length Content-Encoding Transfer-Encoding User-Agent Host Connection Cookie Accept Referer Accept-Language TRUE if HTTP notification TRUE if HTTP response TRUE if HTTP request (character string) HTTP Request Method HTTP Request-URI HTTP Request HTTP-Version HTTP Response Code HTTP Authorization header HTTP Proxy-Authenticate header HTTP Proxy-Authorization header HTTP Proxy Connect Hostname HTTP Proxy Connect Port HTTP WWW-Authenticate header HTTP Content-Type header HTTP Content-Length header HTTP Content-Encoding header HTTP Transfer-Encoding header HTTP User-Agent header HTTP Host HTTP Connection HTTP Cookie HTTP Accept HTTP Referer HTTP Accept Language (Boolean) (Boolean) (Boolean) (character string) (character string) (character string) (unsigned, 2 bytes) (character string) (character string) (character string) (character string) (unsigned, 2 bytes) (character string) (character string) (unsigned, 4 bytes) (character string) (character string) (character string) (character string) (character string) (character string) (character string) (character string) (character string) http.accept_encoding http.date http.cache_control http.server http.location http.set_cookie http.last_modified http.x_forwarded_for Accept Encoding Date Cache-Control Server Location Set-Cookie Last-Modified X-Forwarded-For HTTP Accept Encoding HTTP Date HTTP Cache Control HTTP Server HTTP Location HTTP Set Cookie HTTP Last Modified HTTP X-Forwarded-For (character string) (character string) (character string) (character string) (character string) (character string) (character string) (character string) ICMP - Internet Control Message Protocol (icmp) [39 fields]: Command icmp.type icmp.code icmp.checksum icmp.checksum_bad icmp.ident icmp.seq icmp.mtu icmp.redir_gw icmp.mip.type icmp.mip.length icmp.mip.prefixlength icmp.mip.seq icmp.mip.life icmp.mip.flags icmp.mip.r icmp.mip.b icmp.mip.h == Parameter Parameter Type Type Code Checksum Bad Checksum Identifier Sequence number MTU of next hop Gateway address Extension Type Length Prefix Length Sequence Number Registration Lifetime Flags Registration Required Busy Home Agent (unsigned, 1 byte) (unsigned, 1 byte) (unsigned, 2 bytes) (Boolean) (unsigned, 2 bytes) (unsigned, 2 bytes) (unsigned, 2 bytes) (IPv4 address) (unsigned, 1 byte) (unsigned, 1 byte) (unsigned, 1 byte) (unsigned, 2 bytes) (unsigned, 2 bytes) (unsigned, 2 bytes) Registration with this FA is required This FA will not accept requests at this time Home Agent Services Offered (Boolean) (Boolean) (Boolean) icmp.mip.f icmp.mip.m icmp.mip.g icmp.mip.v icmp.mip.rt icmp.mip.u icmp.mip.x icmp.mip.reserved icmp.mip.coa icmp.mip.challenge icmp.mpls icmp.mpls.version icmp.mpls.res icmp.mpls.checksum icmp.mpls.checksum_bad icmp.mpls.length icmp.mpls.class icmp.mpls.ctype icmp.mpls.label icmp.mpls.exp icmp.mpls.s icmp.mpls.ttl Foreign Agent Minimal Encapsulation GRE VJ Comp Reverse tunneling UDP tunneling Revocation support Reserved Care-Of-Address Challenge ICMP Extensions for MPLS Version Reserved Checksum Bad Checksum Length Class C-Type Label Experimental Stack bit Time to live Foreign Agent Services Offered (Boolean) Minimal encapsulation tunneled datagram support(Boolean) GRE encapsulated tunneled datagram support (Boolean) Van Jacobson Header Compression Support (Boolean) Reverse tunneling support (Boolean) UDP tunneling support (Boolean) Registration revocation support (Boolean) (unsigned, 2 bytes) (IPv4 address) (sequence of bytes) (label) (unsigned, 1 byte) (unsigned, 2 bytes) (unsigned, 2 bytes) (Boolean) (unsigned, 2 bytes) (unsigned, 1 byte) (unsigned, 1 byte) (unsigned, 3 bytes) (unsigned, 3 bytes) (Boolean) (unsigned, 1 byte) ICMPv6 - Internet Control Message Protocol v6 (icmpv6) 12 fields: Command icmpv6.type icmpv6.code icmpv6.checksum icmpv6.checksum_bad == Parameter Parameter Type Type Code Checksum Bad Checksum (Boolean) (unsigned, 1 byte) (unsigned, 1 byte) (unsigned, 2 bytes) icmpv6.haad.ha_addrs Home Agent Addresses (IPv6 address) icmpv6.ra.cur_hop_limit Cur hop limit Current hop limit (unsigned, 1 byte) icmpv6.ra.router_lifetime Router lifetime Router lifetime (s) (unsigned, 2 bytes) icmpv6.ra.reachable_time Reachable time Reachable time (ms) icmpv6.ra.retrans_timer Retrans timer Retrans timer (ms) icmpv6.option ICMPv6 Option Option icmpv6.option.type Type Options type icmpv6.option.length Length Options length (in bytes) TCP - Transmission Control Protocol (tcp) 74 fields: Command tcp.srcport tcp.dstport tcp.port tcp.seq tcp.nxtseq tcp.ack tcp.hdr_len tcp.flags tcp.flags.cwr tcp.flags.ecn tcp.flags.urg tcp.flags.ack tcp.flags.push tcp.flags.reset tcp.flags.syn tcp.flags.fin tcp.window_size == Parameter Source Port Destination Port Source or Destination Port Sequence number Next sequence number Acknowledgement number Header Length Flags Congestion Window Reduced (CWR) ECN-Echo Urgent Acknowledgment Push Reset Syn Fin Window size Parameter Type (unsigned, 2 bytes) (unsigned, 2 bytes) (unsigned, 2 bytes) (unsigned, 4 bytes) (unsigned, 4 bytes) (unsigned, 4 bytes) (unsigned, 1 byte) (unsigned, 1 byte) (Boolean) (Boolean) (Boolean) (Boolean) (Boolean) (Boolean) (Boolean) (Boolean) (unsigned, 4 bytes) (unsigned, 4 bytes) (unsigned, 4 bytes) (label) (unsigned, 1 byte) (unsigned, 1 byte) tcp.checksum Checksum (unsigned, 2 bytes) http://www.wireshark.org/docs/wsug_html_chunked/ChAdvChecksums.html Good Checksum True: checksum matches packet content; False: doesn't match content or not checked (Boolean) tcp.checksum_bad Bad Checksum True: checksum doesn't match packet content; False: matches content or not checked (Boolean) tcp.analysis.flags TCP Analysis Flags This frame has some of the TCP analysis flags set (label) tcp.analysis.retransmission Retransmission This frame is a suspected TCP retransmission (label) tcp.analysis.fast_retransmission Fast Retransmission This frame is a suspected TCP fast retransmission (label) tcp.analysis.out_of_order Out Of Order This frame is a suspected Out-Of-Order segment (label) tcp.analysis.reused_ports TCP Port numbers reused A new tcp session with previously used port numbers(label) tcp.analysis.lost_segment Previous Segment Lost A segment before this one was lost from the capture (label) tcp.analysis.ack_lost_segment ACKed Lost Packet This frame ACKs a lost segment (label) tcp.analysis.window_update Window update This frame is a tcp window update (label) tcp.analysis.window_full Window full This segment has caused the allowed window to become 100% full (label) tcp.analysis.keep_alive Keep Alive This is a keep-alive segment (label) tcp.analysis.keep_alive_ack Keep Alive ACK This is an ACK to a keep-alive segment (label) tcp.analysis.duplicate_ack Duplicate ACK This is a duplicate ACK (label) tcp.analysis.duplicate_ack_num Duplicate ACK # This is duplicate ACK number # (unsigned, 4 bytes) tcp.analysis.duplicate_ack_frame Duplicate to the ACK in frame This is a duplicate to the ACK in frame # (frame number) tcp.continuation_to This is a continuation to the PDU in frame This is a continuation to the PDU in frame # (frame number) tcp.analysis.zero_window_probe Zero Window Probe This is a zero-window-probe (label) tcp.analysis.zero_window_probe_ack Zero Window Probe Ack This is an ACK to a zero-window-probe (label) tcp.analysis.zero_window Zero Window This is a zero-window (label) tcp.len TCP Segment Len (unsigned, 4 bytes) tcp.analysis.acks_frame This is an ACK to the segment in frame Which previous segment is this an ACK for(frame number) tcp.analysis.ack_rtt The RTT to ACK the segment was How long time it took to ACK the segment (RTT)(time offset) tcp.analysis.rto The RTO for this segment was How long transmission was delayed before this segment was retransmitted (RTO) (time offset) Details at: tcp.checksum_good tcp.analysis.rto_frame tcp.urgent_pointer tcp.segment.overlap tcp.segment.overlap.conflict tcp.segment.multipletails tcp.segment.toolongfragment tcp.segment.error tcp.segment tcp.segments tcp.reassembled_in frame tcp.options tcp.options.mss tcp.options.mss_val tcp.options.wscale tcp.options.wscale_val tcp.options.sack_perm tcp.options.sack tcp.options.sack_le tcp.options.sack_re tcp.options.echo tcp.options.echo_reply tcp.options.time_stamp tcp.options.cc tcp.options.ccnew tcp.options.ccecho tcp.options.md5 tcp.options.qs tcp.pdu.time RTO based on delta from frame Urgent pointer Segment overlap Conflicting data in segment overlap Multiple tail segments found Segment too long Reassembling error TCP Segment Reassembled TCP Segments Reassembled PDU in frame (frame number) TCP Options TCP MSS Option TCP MSS Option Value TCP Window Scale Option TCP Windows Scale Option Value TCP Sack Perm Option TCP Sack Option TCP Sack Left Edge TCP Sack Right Edge TCP Echo Option TCP Echo Reply Option TCP Time Stamp Option TCP CC Option TCP CC New Option TCP CC Echo Option TCP MD5 Option TCP QS Option Time until the last segment of this PDU tcp.pdu.size PDU Size This is the frame we measure the RTO from(frame number) (unsigned, 2 bytes) Segment overlaps with other segments (Boolean) Overlapping segments contained conflicting data (Boolean) Several tails were found when reassembling the pdu(Boolean) Segment contained data past end of the pdu (Boolean) Reassembling error due to illegal segments (frame number) TCP Segment (frame number) TCP Segments (label) The PDU that doesn't end in this segment is reassembled in this TCP Options TCP MSS Option TCP MSS Option Value TCP Window Option TCP Window Scale Value TCP Sack Perm Option TCP Sack Option TCP Sack Left Edge TCP Sack Right Edge TCP Sack Echo TCP Echo Reply Option TCP Time Stamp Option TCP CC Option TCP CC New Option TCP CC Echo Option TCP MD5 Option TCP QS Option (sequence of bytes) (Boolean) (unsigned, 2 bytes) (Boolean) (unsigned, 1 byte) (Boolean) (Boolean) (unsigned, 4 bytes) (unsigned, 4 bytes) (Boolean) (Boolean) (Boolean) (Boolean) (Boolean) (Boolean) (Boolean) (Boolean) (time offset) How long time has passed until the last frame of this PDU The size of this PDU (unsigned, 4 bytes) tcp.pdu.last_frame number) tcp.time_relative offset) tcp.time_delta offset) Last frame of this PDU This is the last frame of the PDU starting in this segment(frame Time since first frame in this TCP stream Time since previous frame in this TCP stream UDP – User Datagram Protocol (udp) Time relative to first frame in this TCP stream (time Time delta from previous frame in this TCP stream (time 7 fields: Command == Parameter Parameter Type udp.srcport Source Port udp.dstport Destination Port udp.port Source or Destination Port (unsigned, 2 bytes) udp.length Length (unsigned, 2 bytes) udp.checksum Checksum Details at: http://www.wireshark.org/docs/wsug_html_chunked/ChAdvChecksums.html udp.checksum_good Good Checksum True: checksum matches packet content; False: doesn't match content or not checked udp.checksum_bad Bad Checksum True: checksum doesn't match packet content; False: matches content or not checked (unsigned, 2 bytes) (unsigned, 2 bytes) (unsigned, 2 bytes) (Boolean) (Boolean)
