“hp’s MAC address” eth.addr_resolved contains hp
“source MAC address of hp” eth.src_resolved contains hp
“destination MAC address of hp” eth.dst_resolved contains hp
“intel’s wireless MAC address” wlan.addr_resolved contains intel
“source wireless MAC address of intel” wlan.sa_resolved contains intel
“destination wireless MAC address of intel” wlan.da_resolved contains intel
“Canada domain host” ip.host contains ca
“source host of test” ip.src_host contains test
“destination host of lab” ip.dst_host contains lab
“all address of network 192.168.100.0” ip.addr==192.168.100.0/24
“the range from 192.168.100.10 to 20” ip.src>=192.168.100.0 and ip.src<=192.168.100.255
“TCP HTTP and SSL port”tcp.port in {80 443}
“OUI 00:D0:F1 (SEGA ENTERPRISES,LTD)” eth[0:3]==00:D0:F1
“second, third bytes of ethernet source is ff:ff” eth.src[1-2]==ff:ff
“second, third bytes of ethernet destination is ff:ff” eth.dst[1-2]==ff:ff
“IP version 4, length 20 TOS(DiffServ)=0 (first 2 bytes of IP header)” ip[:2]==45:00
“TCP destination port ( from index 2 length 2 bytes ) is 80(0x0050)” tcp[2:2]=00:50
“all frames that contains JPEG file SOI marker” frame contains FF-D8-FF
“all frames that contains PNG file signature (png.signature)” frame contains 89:50:4e:47:0d:0a:1a:0a
“find suspicious packets of Windows Executables (MZ marker)” frame contains 4D:5A
“find suspicious packets of Uboat RAT (remote access trojan) malware” frame contains 34:38:38
“Japanese local phone number in packets” frame matches “[0-9]{2,5}¥-[0-9]{1,4}¥-[0-9]{4}”
“Search email address” frame matches “[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+[.][a-zA-Z]{2,4}
ET POLICY Unusual number of DNS No Such Name Responses: dns.flags==0x8583, dns.flags==0x8183
The basic filter is simply for filtering DNS traffic. The filter is dns.
For filtering only DNS queries we have dns.flags.response == 0
For filtering only DNS responses we have dns.flags.response == 1
For filtering error codes, we have the following filters:
No error (rcode—reply code), we have dns.flags.rcode == 0, marked in the following screenshot
No such name, we have dns.flags.rcode == 3
arp.opcode==1tcp.analysys.flagstcp contains "keyword"
https://www.wireshark.org/docs/wsug_html_chunked/index.html
https://chappellu.com/files/100WiresharkTips_Chappell.pdf
https://sharkfestus.wireshark.org/sharkfest.11/
TCP buffer full — Source is instructing Destination to stop sending data
tcp.window_size == 0 && tcp.flags.reset != 1
Filter on Windows — Filter out noise, while watching Windows Client – DC exchanges
smb || nbns || dcerpc || nbss || dns