This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Blog
- RSA NetWitness Query Syntax Compared to Wireshark Display Filters
EricPartington
Employee
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2018-08-23
03:50 PM
Wireshark has been around for a long time and the display filters that exist are good reference points to learn about network (packet) traffic as well as how to navigate around various parts of sessions or streams.
Below you will find a handy reference which allows you to cross-reference many of the common Wireshark filters with their respective RSA NetWitness queries.
This is where I pulled the Wireshark display filters from: DisplayFilters - The Wireshark Wiki
Show only SMTP (port 25) and ICMP traffic:
| Wireshark | NetWitness |
|---|---|
| tcp.port eq 25 or icmp | service=25 || ip.proto=1,58 -> (icmp or ipv6 icmp) |
| tcp.dstport=25 || ip.proto=1,58 -> (icmp or ipv6 icmp) |
Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
| Wireshark | NetWitness |
|---|---|
| ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 | ip.src=192.168.0.0/16 && ip.dst=192.168.0.0/16 |
| direction='lateral' (RFC1918 to RFC1918) |
Filter on Windows -- Filter out noise, while watching Windows Client - DC exchanges
| Wireshark | NetWitness |
|---|---|
| smb || nbns || dcerpc || nbss || dns | service=139,137,135,139,53 |
Match HTTP requests where the last characters in the uri are the characters "gl=se":
| Wireshark | NetWitness |
|---|---|
| http.request.uri matches "gl=se$" | service=80 && query ends 'gl=se' |
Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
| Wireshark | NetWitness |
|---|---|
| ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip | service=5060 && ip.src!=xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx |
ip.addr == 10.43.54.65 equivalent to
| Wireshark | NetWitness |
|---|---|
| ip.src == 10.43.54.65 or ip.dst == 10.43.54.65 | ip.all=10.43.54.65 |
| ip.src=10.43.54.65 || ip.dst=10.43.54.65 |
Here's where I pulled some additional filters for mapping: HTTP Packet Capturing to debug Apache
View all http traffic
| Wireshark | NetWitness |
|---|---|
| http | service=80 |
View all flash video stuff
| Wireshark | NetWitness |
|---|---|
| http.request.uri contains "flv" or http.request.uri contains "swf" or http.content_type contains "flash" or http.content_type contains "video" | service=80 && ( query contains 'flv' || query contains 'swf' || content contains 'flash' || content contains 'video') |
Show only certain responses
| Wireshark | NetWitness |
|---|---|
| http.response.code == 404 | service=80 && error begins 404 |
| service=80 && result.code ='404' | |
| http.response.code==200 | service=80 && error !exists (200 are not explicitly captured) |
| service=80 && result.code !exists (200 are not explicitly captured) |
Show only certain http methods
| Wireshark | NetWitness |
|---|---|
| http.request.method == "POST" || http.request.method == "PUT" | service=80 && action='post','put' |
Show only filetypes that begin with "text"
| Wireshark | NetWitness |
|---|---|
| http.content_type[0:4] == "text" | service=80 && filetype begins 'text' |
| service=80 && filename begins 'text' |
Show only javascript
| Wireshark | NetWitness |
|---|---|
| http.content_type contains "javascript" | service=80 && content contain 'javascript' |
Show all http with content-type="image/(gif|jpeg|png|etc)" §
| Wireshark | NetWitness |
|---|---|
| http.content_type[0:5] == "image" | service=80 && content ='image/gif','image/jpeg','image/png','image/etc' |
Show all http with content-type="image/gif" §
| Wireshark | NetWitness |
|---|---|
| http.content_type == "image/gif" | service=80 && content ='image/gif' |
Hope this is helpful for everyone and as always, Happy Hunting!
9 Comments
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Latest Articles
- Using NetWitness to Detect Phishing reCAPTCHA Campaign
- Netwitness Platform Integration with Amazon Elastic Kubernetes Service
- Netwitness Platform Integration with MS Azure Sentinel Incidents
- Netwitness Platform Integration with AWS Application Load Balancer Access logs
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- New HotFix: Addresses Kernel Panic After Upgrading to 12.4.1
- Automation with NetWitness: Core and NetWitness APIs
- HYDRA Brute Force
- DDoS using BotNet Use Case
Labels
-
Announcements
64 -
Events
12 -
Features
12 -
Integrations
15 -
Resources
68 -
Tutorials
32 -
Use Cases
31 -
Videos
119
