Networking/Computing Tips/Tricks

If you are a Wireshark power user, you know the importance of complex display filters to narrow searches for very particular items.  The challenge can be to recall these filters, end edit them in different analysis cases.  Also, if you want to be able to replace addresses, the possibility of typos and time being lost becomes evident, if not frustrating.

Luckily Wireshark has a very little known capability called display filter macros.  In the entire Wireshark web site, there may be 10 total sentences dedicated to the capability.  Ok it might be 12 sentences.

Here is how it works.  You have to define the macro first, using variables, that when you execute the macro, the variables are then inserted.  Let's start with a really simple one that you probably would never actually define because, like most of us, you know the filter by heart:  the ip.addr == a.b.c.d filter.

Creating Your First Simple Display FIlter Macro

To define the macro select Analyze> Display Filter Macros and you will get the following pop-up:

Screen Shot 2017 06 24 at 6.29.44 PM

As with any of the Wireshark lists, click the "+" sign to add a macro.

Enter the name of the macro (no spaces allowed):  I used IPA

Then enter the macro syntax: ip.addr == $1

The $1 is essentially a variable, and you can have multiple variables in complex macros.

Click OK.

Now in a capture, type the following into the display filter: ${IPA:} and apply the filter (replace the address with anything you want):

Screen Shot 2017 06 24 at 6.42.35 PM

OK perfect, - now we know now this works, let's take it a step further (and more useful).

Taking it to the Next Level

Let's say we wanted to find a particular IP address pair.  One option would be the Conversation Filter.  Or we could create a macro based on a more complex filter syntax.  We will have two variables: $1 and $2 for the two addresses.

The normal display filter would look like this: ip.addr== && ip.addr==

So let's create a macro we will call IPAP (for IP Address Pair) and use the syntax replacing the addresses with $1 and $2:

Screen Shot 2017 06 24 at 6.51.11 PM

Now if I want to find a set of packets between an IP address pair, I simply type ${IPAP:;} in the display filter:

Screen Shot 2017 06 24 at 6.54.51 PM

The key here is that a semicolon separates the variables.

By now you have probably also noticed that Display Macros are stored by profile.  So different Profiles can have different profile specific macros.

Using Macros inside Display Filter Expressions

You can also use Display Filter Macros inside expressions.

For example if you defined a macro to be called 'priv24' and then defined the macro syntax to be '', you could in a display filter enter something like:

ip.addr == ${priv24}

The result would be the same as typing 'ip.addr =='

If you are a network admistrator, you can imagine how using this could save a lot of time typing addresses.

Interesting Macro Syntax Variations

Another thing you can do is use the Wireshark Display Macro syntax to perform quick filters on your trace.  For example:

  • ip.addr == ${ip.src} will find all packets that have the same source IP address as the selected packet
  • == ${} will find all packets in the current selected packet tcp stream (assumes you have a valid tcp packet selected)

These are not technically macros, so you would not save them as such, instead you would simply save these as Display filters in your pick list/bookmark list.

Useful Macros 

So let's create a cheat sheet of macros you may find useful and you can add them to your favorite profiles:

Macro Name Purpose Macro Filter Syntax Display Filter Syntax to call the Macro
n/a Find all IP addresses that match the Source IP of current selected packet ip.addr == ${ip.src} n/a
n/a Find all IP addresses that match the Destination IP of current selected packet ip.addr == ${ip.dst} n/a
n/a Find all packets in the TCP stream of the current selected packet == ${} n/a
n/a Find all DNS packets belonging to the selected packet (usually query response pairs) == ${} n/a
TCPConv Filter a particular TCP conversation knowing Source, destination, and TCP Port ((ip.src == $1 and ip.dst == $2 and tcp.srcport == $3 and tcp.dstport == $4) or (ip.src == $2 and ip.dst == $1 and tcp.srcport == $4 and tcp.dstport == $3)) ${TCPConv:;;8080}
ARPrq Find all ARP Requests arp.opcode == 0x0001 ${ARPrq}
ARPrp Find all ARP Responses arp.opcode == 0x0002 $(ARPrp}
DNSrq Find all DNS Requests dns.flags.response == 0 ${DNSrq}
DNSrp Find all DNS Responses dns.flags.response == 1 ${DNSrp}
DNSer Find all DNS Errors dns.flags.rcode != 0 ${DNSer}
ICMPrq Find all ICMPv4 Requests icmp.type == 8 ${ICMPrq}
ICMPrp Find all ICMPv4 Responses icmp.type == 0 ${ICMPrp}
ICMPred Find all ICMPv4 redirects except IP Address w.x.y.z icmp.type == 5 and ip.src != $1 ${ICMPred:w.x.y.z}
SSLhs Find all SSL Handshake packets ssl.record.content_type==22 ${SSLhs}
NoBeacons Wireless: remove all Beacon Frames wlan.fc.subtype != 8 ${NoBeacons}
JustBeacons Wireless: show only Beacon Frames wlan.fc.subtype == 8 ${JustBeacons}
SSIDn Wireless: show only management frames with SSID x where x is the SSID term wlan_mgt.ssid == \x22$1\x22 ${SSIDn:x}
Probes Wireless: show only the probe frames wlan.fc.subtype==4 or wlan.fc.subtype==5 ${Probes}
plcmall IP Telephony - find all PLCM packets eth.addr[0:3] == 00-04-f2 || bootp.hw.mac_addr[0:3] == 00-04-f2 ${plcmall}
plcm IP Telephony - find PLCM for a particular MAC 12-34-56 eth.addr == 00-04-f2-$1 || bootp.hw.mac_addr == 00-04-f2-$1 ${plcm:12-34-56}
issall IP Telephony - find all ISS packets eth.addr[0:3] == 00-26-fd || bootp.hw.mac_addr[0:3] == 00-26-fd ${issall}
iss IP Telephony - find ISS packets for a particular MAC 12-34-56 eth.addr == 0026-fdf0-$1 || bootp.hw.mac_addr == 0026-fdf0-$1 ${iss:1234}

Be sure to check back here often as we will keep adding to the list.  Any you would add?


Comments powered by CComment

The nicest thing you can do is use these inks to support us!  Thank you!

Find by Tag

4G Networks 5G Networks 6in4 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Addressing Analysis Ansible Architecture ARP AToM BGP Bloom's Taxonomy Broadband Cable cat CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud Coloring Rules Computer Consulting CPI Customer Support Data Center Data Networking DHCPv6 DNS Docker Documentation Dublin-Traceroute dumpcap ECMP Ethernet Ethics Fragmentation G-MPLS Git GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 Interface Control Internet IoT IPsec IPv4 IPv6 IS-IS L2VPN L3VPN LDP Linux LLN LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring MPLS MTU Multicast My Room Name Resolution Netcat Netmiko NetMon netsh Networking Network Science nmap Npcap Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Paris-Traceroute Parrot PIM pktmon PMTU Policy POTS POTS to Pipes PPP Profile Programming Project Management Protocol 41 PW3E Python QoS QUIC Remote Desktop Requirements RIP Routing RPL RSVP Rural SAS SDN Security Service Provider Small Business SONET Speed SS7 SSH SSL Subnetting SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone termshark TLS Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Webex WEP Wi-Fi Wi-Fi 4 Wi-Fi 5 Wi-Fi 6 Wi-Fi 6/6E Windows Winpcap Wireless Wireless 5G Wireshark Wireshark Tip WLAN WPA2 Zenmap ZigBee Zoom

Support us by clicking:

Twitter Feed