Filtering TCP/IP packets with Wireshark

Lately I’ve been involved in a project that required the creation of a TCP/IP server. This server will be hit by large numbers of embedded devices. I created unit tests to test the server. But when the time came to integrate with the embedded device (which has been produced by a third party), of course there were still issues arising. You can try to log everything in your server, but using a packet sniffer like Wireshark is much more effective in finding the reasons why certain issues arise.

Although Wireshark is pretty easy to use, at first glance the interface looks daunting. Here are a few tricks that got me up and running with Wireshark.

First: how to start capturing? Capture->Interfaces. In this dialog click ‘Start’ on the interface that displays the external ip address your server is running on. You will see packets pouring in after this. Now you can set up a filter to display only the packets you’re interested in.

Suppose your server is running on port 8080. Displaying only the traffic that is going back and forth on that port is as simple as setting a filter:

tcp.port == 8080

Now suppose you only want to see the data that is being sent from the embedded devices to your server.

tcp.destport = 8080

Should you want to see the data that is being sent from the server to the embedded device:

tcp.srcport = 8080

So tcp.port == 8080 equals to tcp.srcport == 8080 || tcp.dstport == 8080

Now what if we wanted to know only about data coming from the ip adress of one embedded device (assuming a static ip address over time):

ip.src == 80.80.80.80

Just as with the port you can filter only packets coming from any embedded device to the server:

ip.dst == 80.80.80.80

and if you’re indifferent about the direction:

ip.addr == 80.80.80.80

There will be a lot of ceremony packets going back and forth (opening/closing connections, etc…). Usually you’re especially interested in the packets containing data. How to display only the packets containing data:

tcp.len > 0

How do I display only packets containing a certain byte in the payload:

data[0] == A0

It is common to log certain events in a server using for example log4net. These events will have a timestamp based on the datetime of the server. As Wireshark by default shows relative times this doesn’t match very well. See View->Time Display Format. There you will find Date and Time of Day. After selecting this, the date and time will be shown in the Frame part of the packet. Now suppose you would want to filter on a certain timestamp you could use, which would show all packets sent and received in a specific timespan (allowing you to match this with the events logged in the server):

frame.time >= 'Feb 1, 2011 11:00:00' && frame.time < 'Feb 1, 2011 11:05:00'

Combining this delivers a powerful way to find information.

For example, show all packets coming from the embedded device connecting on port 8080, between 11:00 and 11:05 February 1st 2011, coming from ip adress 80.80.80.80, containing data, where the data is only of a certain type:

tcp.destport == 8080 &&
frame.time >= 'Feb 1, 2011 11:00:00' &&
frame.time < 'Feb 1, 2011 11:05:00' &&
ip.src == 80.80.80.80 &&
tcp.len > 0 &&
data[0] == A0

Finally, you can export the data of the displayed packets and analyse them further with the parser belonging to your server.

frame.time >= ‘Feb 1, 2011 11:00:00’ && frame.time < 'Feb 1, 2011 11:05:00'