Home‎ > ‎CIS 140NA‎ > ‎

Lab 5: Using Capture Filters

In this lab you will write capture filters.

Introduction

You should use capture filters wisely because they prevent Wireshark from ever seeing packets. One scenario where a packet filter is essential is when you're performing a remote capture. In that situation you should disregard the packets between the machine that's doing the capture and the machine you're sitting in front of. The use of a filter prevents the "infinite echo" effect. Another scenario is where you want to exclude packets from the capture machine so you can use it while performing a capture. In this lab you will create filters for both scenarios.

Part 1: Looking for non-Local Traffic

Silence is golden. Sometimes you want to exclude all packets that are for the machine you're capturing on. The best way to do this is to create a capture filter that excludes your host by MAC address. Filtering by MAC address is more effective than by IP address because it also filters out multicast and ARP traffic. Discover the MAC address of an interface on your machine create a capture filter that excludes that MAC. Start a capture on the interface and capture traffic while you use the web. 

You should see little activity while you browse. If you see what appears to be local traffic, check your filter and start again. When you believe your capture worked save the packets into a file called non-local.pcapng and submit the file along with the capture filter you used.  

Part 2: Remote Capture 

For this part you will capture traffic on Opus using the dumpcap command and view a text based summary with the tshark command. Your capture command should exclude any traffic that is SSH related (remember Opus uses both 22 and 2220 for SSH). Run the dumpcap command like this: 

$ /home/cis140/bin/dumpcap -w opus-filter.pcapng -f '<capture-filter-goes-here>' 

Be sure to put your capture filter inside the single quotes (' ... '). The above command will save packets to opus-filter.pcapng and show you how many it has captured. To view a text-summary of the packets you can run tshark this way: 

$ tshark -r opus-filter.pcapng 

You can use the summary to figure out if your filter worked properly without having to download the file every time. When you are satisfied with your filter submit your opus-filter.pcapng file and the capture filter you used. 

Part 3: Advanced Filters

You can look for very specific things using capture filters. In this part you will create a filter that isolates ICMP packets by size. The following commands will generate a specifically sized ping:

On Mac/Linux:
$ ping -s 200 <ip-address-of-your-capture-machine>

On Windows:
$ ping -l 200 <ip-address-of-your-capture-machine>

You may be able to run the ping command on the same machine that's doing the capture, but be careful to capture on the proper interface if you do. Save the pings that you capture in a file called ping-size.pcapng and submit that file with the capture filter you used. The filter must select the ping by packet size. 

Turn In

  1. The file non-local.pcapng from part 1 and the capture filter you used
  2. The file opus-filter.pcapng from part 2 and the capture filter you used 
  3. The file ping-size.pcapng from part 3 and the capture filter you used
Submit your homework on Canvas.

Grading

  • 5 points for part 1
  • 5 points for part 2
  • 10 points for part 3
Comments