This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Building Display Filter Using Conversations

0

Good day all! I'm trying to build a comprehensive list of hosts and ports talking within a network so I can begin to build a firewall ACL as we begin to compartmentalize the network a bit. I'm using WS 1.4.6 where I start by simply capture >> start >> and select interface. I then apply a display filter of ((tcp.flags.syn == 1) && (tcp.seq == 0)) && !(tcp.flags.ack == 1) which (I believe) will only display the initial syn of each conversation. I do this because I never know when I start my trace files if I'm catching conversations some in the middle so I want to ensure my firewall ACLs are correct so I need the correct conversation flow.

I then go to Statistics >> Conversations and check the box for "Limit to Display Filter." I now want to filter out each conversation once I note it on my spreadsheet so I go to prepare a filter and chose not selected A<->B. This starts to eliminate each conversation from the trace file as I note it on my spreadsheet. The thing that is happening though is the conversation in the Conversations >> TCP (TCP tab) window is backwards from what appears to be actually happening. For example in the tracefile I'm seeing host A doing a syn to host B on port 1234 but the Conversations list has it listed as host B sending to host A. So now of course when I build my filter it turns out backwards. Not every instance/conversation line in the Conversations list is backwards but it causes me to double check each time.

Any thoughts on what I could be doing wrong here? Or, if there is an easier way to acccomplish this, I'm eagerly all ears :)

Have a great day! Garry

asked 20 May '11, 10:29

gfrizz17's gravatar image

gfrizz17
1111
accept rate: 0%

retagged 27 May '11, 20:56

helloworld's gravatar image

helloworld
3.1k42041


2 Answers:

0

I have no idea why the conversations would appear reversed, so can't address that part of your question, but here's a way to accomplish what you want that sidesteps that issue and may be a bit simpler:

First, simplify your filter to "tcp.flags == 0x02". This will show you the initial SYN of each conversation.

Second, don't go to the Conversations display. Stay on the main Wireshark screen with your display filter in place. Each line of the packet list display represents one conversation. As you enter each conversation in your spreadsheet, highlight that line and press Ctrl-D, or right-click and select Ignore Packet. This will cause that line to disappear from the display.

It will be clear from the packet list display which side initiated the conversation, and this will be simpler than building an exclusion filter for each conversation.

answered 20 May '11, 13:58

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

0

The easiest way to get a list of conversations to turn into a firewall rulebase is (IMHO) to use tshark:

tshark -C Default-Sake -r ipad.cap -nl -R "tcp.flags==2" -T fields -e ip.src -e ip.dst -e tcp.dstport | sort | uniq 
192.168.1.22    192.168.1.29    59548
192.168.1.29    17.152.17.80    443
192.168.1.29    17.172.236.21   5223
192.168.1.29    184.73.184.162  80
192.168.1.29    194.134.4.233   110
192.168.1.29    2.20.93.15  80
[...]

Or if you want it sorted by the amount of conversations:

tshark -C Default-Sake -r ipad.cap -nl -R "tcp.flags==2" -T fields -e ip.src -e ip.dst -e tcp.dstport | sort | uniq -c | sort -rn
  18 192.168.1.29   216.39.58.249   80
   7 192.168.1.29   72.233.96.254   80
   3 192.168.1.29   93.184.220.20   80
   3 192.168.1.29   83.163.163.55   993
  [...]

Of course you can pipe this outpur through sed and awk to even build the commands needed to implement the FW rules (assuming your firewall has a CLI through which new rules can be added).

Hope this helps!

(Oh BTW, if you use Windows, you can use Cygwin to get a shell in which you are able to do this)

answered 20 May '11, 15:43

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Cygwin == molasses

(20 May '11, 16:07) helloworld