Wireshark has been around for a long time and the display filters that exist are good reference points to learn about network (packet) traffic as well as how to navigate around various parts of sessions or streams.
Below you will find a handy reference which allows you to cross-reference many of the common Wireshark filters with their respective RSA NetWitness queries.
This is where I pulled the Wireshark display filters from: DisplayFilters - The Wireshark Wiki
Show only SMTP (port 25) and ICMP traffic:
| Wireshark | NetWitness |
|---|---|
| tcp.port eq 25 or icmp | service=25 || ip.proto=1,58 -> (icmp or ipv6 icmp) |
| tcp.dstport=25 || ip.proto=1,58 -> (icmp or ipv6 icmp) |
Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
| Wireshark | NetWitness |
|---|---|
| ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 | ip.src=192.168.0.0/16 && ip.dst=192.168.0.0/16 |
| direction='lateral' (RFC1918 to RFC1918) |
Filter on Windows -- Filter out noise, while watching Windows Client - DC exchanges
| Wireshark | NetWitness |
|---|---|
| smb || nbns || dcerpc || nbss || dns | service=139,137,135,139,53 |
Match HTTP requests where the last characters in the uri are the characters "gl=se":
| Wireshark | NetWitness |
|---|---|
| http.request.uri matches "gl=se$" | service=80 && query ends 'gl=se' |
Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
| Wireshark | NetWitness |
|---|---|
| ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip | service=5060 && ip.src!=xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx |
ip.addr == 10.43.54.65 equivalent to
| Wireshark | NetWitness |
|---|---|
| ip.src == 10.43.54.65 or ip.dst == 10.43.54.65 | ip.all=10.43.54.65 |
| ip.src=10.43.54.65 || ip.dst=10.43.54.65 |
Here's where I pulled some additional filters for mapping: HTTP Packet Capturing to debug Apache
View all http traffic
| Wireshark | NetWitness |
|---|---|
| http | service=80 |
View all flash video stuff
| Wireshark | NetWitness |
|---|---|
| http.request.uri contains "flv" or http.request.uri contains "swf" or http.content_type contains "flash" or http.content_type contains "video" | service=80 && ( query contains 'flv' || query contains 'swf' || content contains 'flash' || content contains 'video') |
Show only certain responses
| Wireshark | NetWitness |
|---|---|
| http.response.code == 404 | service=80 && error begins 404 |
| service=80 && result.code ='404' | |
| http.response.code==200 | service=80 && error !exists (200 are not explicitly captured) |
| service=80 && result.code !exists (200 are not explicitly captured) |
Show only certain http methods
| Wireshark | NetWitness |
|---|---|
| http.request.method == "POST" || http.request.method == "PUT" | service=80 && action='post','put' |
Show only filetypes that begin with "text"
| Wireshark | NetWitness |
|---|---|
| http.content_type[0:4] == "text" | service=80 && filetype begins 'text' |
| service=80 && filename begins 'text' |
Show only javascript
| Wireshark | NetWitness |
|---|---|
| http.content_type contains "javascript" | service=80 && content contain 'javascript' |
Show all http with content-type="image/(gif|jpeg|png|etc)" §
| Wireshark | NetWitness |
|---|---|
| http.content_type[0:5] == "image" | service=80 && content ='image/gif','image/jpeg','image/png','image/etc' |
Show all http with content-type="image/gif" §
| Wireshark | NetWitness |
|---|---|
| http.content_type == "image/gif" | service=80 && content ='image/gif' |
Hope this is helpful for everyone and as always, Happy Hunting!