Here is a list of commonly used WireShark filters for network and systems engineers when analyzing packet dumps:
1) Filtering DNS packets according to their "return code" (rcode):
(dns.flags.rcode == x) //Filter dns packets whose rcode is equal to "x".
!(dns.flags.rcode == x) //Filter dns packets whose rcode is NOT equal to "x".
See common "return codes" and their description in the table below:
Return Message
|
RCODE
|
Description
|
NOERROR
|
0
|
DNS Query completed successfully
|
FORMERR
|
1
|
DNS Query Format Error
|
SERVFAIL
|
2
|
Server failed to complete the DNS request
|
NXDOMAIN
|
3
|
Domain name does not exist.
|
NOTIMP
|
4
|
Function not implemented
|
REFUSED
|
5
|
The server refused to answer for the query
|
YXDOMAIN
|
6
|
Name that should not exist, does exist
|
XRRSET
|
7
|
RRset that should not exist, does exist
|
NOTAUTH
|
8
|
Server not authoritative for the zone
|
NOTZONE
|
9
|
Name not in zone
|
2) Filtering packets based on Source and Destination IP Addresses:
(ip.src == 31.13.64.11) && (ip.dst == 10.210.0.10)
3) Filtering M3UA packets based on Origination Point Code (OPC):
(m3ua.protocol_data_opc == 12345) //Filter M3UA packets whose OPC is equal to "12345".
4) Filtering M3UA packets based on Destination Point Code (DPC):
(m3ua.protocol_data_dpc == 34567) //Filter M3UA packets whose DPC is equal to "34567".
5) Filtering M3UA packets based on OPC or DPC:
(m3ua.protocol_data_opc == 12345) || (m3ua.protocol_data_dpc == 34567) //Filter M3UA packets whose OPC is equal to "12345" OR DPC is equal to "34567".
(m3ua.protocol_data_opc == 12345) && (m3ua.protocol_data_dpc == 34567) //Filter M3UA packets whose OPC is equal to "12345" AND DPC is equal to "34567".
6) Filtering GSM MAP packets based on TBCD (Telephony Binary-Coded Decimal) digits:
(gsm_map.tbcd_digits == "1234567") //Filter GSM MAP packets whose TBCD is equal to "1234567".
7) Filtering TCP/UDP packets based on port number:
(tcp.port == 8080) //Filter TCP packets whose source or destination port number is equal to "8080".
(tcp.srcport == 80) //Filter TCP packets whose source port number is equal to "80".
(tcp.dstport == 443) //Filter TCP packets whose source or destination port number is equal to "443".
(udp.port == 53) //Filter UDP packets whose source or destination port number is equal to "53".
(udp.srcport == 53) //Filter UDP packets whose source port number is equal to "53".
(udp.dstport == 53) //Filter UDP packets whose destination port number is equal to "53".
8) Filtering TCAP (Transaction Capabilities Application Part) packets based on OTID (Orig. Transaction Id)/DTID (Dest. Transaction Id):
(tcap.otid == 1a:00:6a:15) //Filter TCAP packets whose otid is equal to "1a:00:6a:15".
(tcap.dtid == 1a:00:6a:15) //Filter TCAP packets whose dtid is equal to "1a:00:6a:15".
9) Filtering Voice packets based on E.164 international telephone numbering plan:
(e164.calling_party_number.digits == "256723039294") //Filter voice packets whose calling party (A)is equal to "256723039294".
(e164.called_party_number.digits == "254782243131") //Filter voice packets whose called party (B)is equal to "254782243131".
10) Filtering S1AP (Signalling between eNodeB & MME):
(s1ap.ENB_UE_S1AP_ID == 101) //During LTE Attach & Default EPS Bearer Establishment, The eNodeB allocates 101 as the ENB-UE-S1AP-ID for the new session.
(s1ap.MME_UE_S1AP_ID == 211) //During LTE Attach & Default EPS Bearer Establishment, The MME allocates 211 as the MME-UE-S1AP-ID for the session.
11) Filtering GTP (GPRS Tunneling Protocol) packets:
(gtp.ptmsi == 0xc6eb8017) //Filter GTP packets whose P-TMSI(Packet Temporary Mobile Subscriber Identity) is equal to "0xc6eb8017".