Wireshark 101: Expressions

On this HakTip, Shannon Morse covers the syntax of filters and expressions for Wireshark.

When discussing the OSI Model - several Youtube fans said they memorize it in fun ways, such as: Cross Over with "Please Do Not Throw Sausage Pizza Away?", Megapadzz used "Princess Diana Never Tried Shagging Prince Andrew" and for the data type on each layer "But Fergie Proclaims She Did Did Did for Bits, Frames, Packets, Segments, Data, Data, Data?", Ramuk uses "All People Seem To Need Data Processing?", and Ben uses "Pew dead ninja turtles smell particularly aweful?"!

Moving on, today we're totally focusing on Expressions. First let's break down the syntax. Each syntax is called an expression, and the expression has a bunch of parts. I have a couple of parts called primitives, and those primitives are divided up by operators. Each primitive can have a qualifier in it as well as an ID. Operators can be &&, || or ! (which mean AND, OR, and NOT). Qualifiers can either be Type (which would be like host, net or port). These identify what the ID refers to. Dir (src, dst). Dir tells you whether the transfer is to or from the ID. Or Proto (ether, tcp, udp, http, ftp). This is a particular protocol. I've printed out a cheat sheet for all of these. Since there are SO MANY display filters that you can use, it's pretty common to find posters like this on the internet free for use.

Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.