Using Filters
Wireshark comes standard with some very good filters. Filtering the displayed packets allows you to focus on relevant information located within the capture.
In this post, I’m going to show you how to filter out DHCP exchanges, PPPoE exchanges and VLAN’s.
Setting the Filter
Click on the filter field to enter the filter options manually, or press the Expression button to start the Wireshark filter expression box. When you are unfamiliar with which protocols you want to filter on, the Expression window allows you to choose each dissector and how the filter is applied (equals, contains, matches, less than, greater than).
VLAN Tag ID
Filtering on a VLAN tag is really quite simple using Wireshark’s built in dissector.
In the filter field, type in:
vlan.id == <put your vlan id here>
Press return to start the filtering process. Wireshark will then go through each packet in the capture file and display only those packets that match the criteria.
DHCP
Filtering for DHCP packets is pretty easy in Wireshark also.
In the filter field, type in:
bootp
Press return to start the filtering process.
PPPoE
PPPoE is a little trickier to decode the entire process, as there are several steps in the process from PADI to IPCP negotitation.
In the filter field, type in:
pppoed or lcp or ipcp or pap or chap
Press return to start the filtering process.
This filter has several components that allow you to capture the entire PPPoE process from beginning to end.
The first part of the filter, pppoed, filters out the PADI, PADO, PADR & PADS exchange. The next step, lcp, in the process is to negotiate the MTU size, magic number and authentication protocol.
After the lcp negotiation is complete, the user is authenticated via PAP or CHAP. If you have a username or password issue in the modem or BRAS, this is where you will see the negotiation fail.
Once the user is authenticated, we can finally start the IP address negotiation. The ipcp filter will show you the IP address negotiation.
Now that the user is up and authenticated, you will see LCP Echoes between the modem and BRAS. Settings in the modem and BRAS will determine the frequency and size of the echo messages.
Keep in mind that the LCP echo process uses a single ended state machine. What this means is that each end of the link, the modem and the BRAS, keep track of their LCP echoes independently of each other. Whenever either end loses enough consecutive echoes (configurable on the BRAS), it will tear the link down using a PADT. This is a major difference between DHCP leases and PPPoE sessions, either end can tear down the connection. Once a DHCP server issues a lease, that lease is bound until timeout or a DHCP release message is sent.
출처 : http://theticktalk.wordpress.com/2012/10/23/wireshark-filters-pppoe-dhcp-vlan-id/
'Skills > Network' 카테고리의 다른 글
SSH Tunneling 사용하기 (0) | 2014.08.06 |
---|---|
Packet Sniffer Code in C using Linux Sockets (BSD) – Part 2 (0) | 2014.07.31 |
iptables 설정 [NAT] (0) | 2014.07.14 |
Iptables (0) | 2014.07.09 |
TCPDUMP 옵션 및 사용법 (0) | 2014.07.07 |
댓글