Wireshark mailing list archives
Re: Need filters
From: "David H. Lipman" <DLipman () Verizon Net>
Date: Tue, 22 Jun 2010 17:44:49 -0400
From: "Jaap Keuter" <jaap.keuter () xs4all nl> | On 06/22/2010 10:52 PM, David H. Lipman wrote:
From: "Jaap Keuter"<jaap.keuter () xs4all nl>
| Hi,
| You need a display filter? | Just point and click; point to the packet with the protocol you don't want, | right-click and add to filter.
| Thanks, | Jaap
I'm kind of in the middle but here goes... { I say I am in the middle because it is not my website. }
This is a web site accepts malcious samples. The site sandbozes and executes the malcious samples and the sends a PCAP file of communication and a HTML file of activity.
The PCAP is full of Microsoft "noise" that doesn't have to do with the malware analysis. The objective is to filter out the noise and generate a PCAP without said noise. That filtered PCAP and the HTML report are subsequently ZIPed and emailed to the malicious file submitter.
| Ah ok, you need a capture filter then? I assume you capture using libpcap. | A quick web search shows the following: | Microsoft Protocols | TCP PORT 139 tcp port 139 | UDP PORT 137 udp port 137 | UDP PORT 138 udp port 138 | UDP PORT 445 udp port 445 | SMB dst port 139 && tcp[13:1] & 18 = 2 | which would result in | not (tcp port 139 or udp port 137 or udp port 138 or udp port 445) | But if you're interested in the HTTP protocol only, why not filter on that? | That would be: tcp port 80 | Hope it helps. It isn't just HTTP. For example here is a restult from Threat Expert for a CyberGate RAT. http://www.threatexpert.com/report.aspx?md5=de13803c2c3a55082e35c96bd86abae4 Note: IP = 92.241.168.24 @ TCP port 50325 We'll see all sorts of communication from malware. But we also do need the normal background Microsoft chatter at the same time we don't want to filter out a SDBot tring to spread via SMB. I hope it is OK. I attached two PCAP files in a ZIP file with data that we do NOT need to see in a resultant report. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp begin 666 pcaps.zip M4$L#!!0``@`(`(>.UCSY[BLI"@,``& 6```*````9'5M<#$N<&-A<.783T@4 M41P'\-^;V7'7/ZV[V"5$F252HDQ8"W0Q=?_,NMO^;5<30BFIZ):!8$8'%01; M_W2,NF0>)*M3$11U2;2+A/W!`M-#*P124)AU$*7I]QXNMJ,,O0Y=Y@VS^W9V M=K_#]_,N,W-3#\<$,$%FJ"H`P?>9!3F<[I.@%>=TMT#Y+RD$9=\?=.)<`8B" MU `-]@7G\XD.&^XY-AE2X(K?A &PL;_ (7M#;MT!X !"LPK[)7#@K^B>2:&) M-(L4M9<"]-HO-]$<F@<I3%.'W\) /XTA?Y_%+NN2*>".)N6M`3YHB25"C8E8 M<WSSR#1HSI&WG5,ZG:GE/X]9+*SKBP56<;[*T.C8*@P^M9?1PKJ'-@M381"W M-[=>VO/Z&!9^>H:5*4'%H\3\/J][YPUD?T")^[U*6 G@:]SO]V=][XF"FHQX M]NE<JYW6GAG+8F;F@!,@,@X!G- :<0?#R7"LJ=63B+4DD1QZ-_*8`$!)Y=W& M`UUED<?5$A%M! I)\SUXC16X/N;PK\]Z2/.N3YJ52N?HK<_];'T&->NS&]*& M7)_OL;#F<Q9NG-@"47AQ:);GO$4/YQ##\6EP=A/%D#B+6-C8="X_3A\9Y<6A M64LO<O5P*AF.-QMGZ"D9-23.$A:V[LCGQRDG:[PX-.OBWGP]'"?#:=#@G"9K MAL19QL*L=PJX<:)30ALO#LUJF2C0PSG"<(YFXPQN"&V&Q/F*A=4YK?PXIX1) M7AR:=;7*JH=3S7!<&IP;PJ0A<7YB8<>#P(\CB<6\.#2K_QCHX=0PG!H-3IU8 M;$B<=2SLPBSAQHF,B3V\.#3KVBNBAU/'< YGXZ0^B#V&Q"&+<OC)09$?IU&< MY\6A6=\J1#V<>H93I<'I%><-B6/&PNX/F_AO0M]!B!>'9BV.F'1PKG=0')^8 MC3-BA9 A<79A816?_^$)UA48Y\6A6<**WA,LUUF*<]NJN0E]!..&Q"G"PA(! M,S^.`U1>')KU(V+6P9%4BC/7J<$Y":HA<?9@89&B`JC%>>U.."6;.&?^P#%# M[FAX9=NE_@902P,$% `"``@`SX[6/)^EHS[1`0``%0P```D```!D=6UP+G!C M87#5T#E(`T$4!N"W1Z*)BBMV*61MC @B(H@'0C2)B:XFJ^*!V(J=\=8H!(44 M!L& I+(RC=IZ@ $1!$L+KS2B(()8!0L;+41],YABMQB<<A\,.PP[^^__92\. MTR+(D)^?'P`!GY%'M4=3'#"&>[(*P:U]#T'5^\$L[OT`(;!YP%/V4'^^'U%P M%2@J)* EO"M$0:&?P%&]6CMS`"I!(%EU+@?<XPVR\BDDD69=%DT"K)9=:22' MY$$"TTYNOH1HG+PO_#^+_M:B/.#7]5K=J_X-`@R'^[5 ?WA0_SN)FT\JXF"Z MI<IYEG_./!8-GCKY49N%5UY4DI4]<[)0(Q2UVX2:%%XMA;J"15T=Q=RHH:RH M\:*2K&-?,0MUBJ)VF5!K1,U2J&M8M#I7PH\Z(69X44G6TEL)"W6:H@:-J-=G M8L92J.M8='L$N%%[/R4W+RK)^A@%%NH,10V84$.2VU*HFUAT61;Y43>D%"\J MR=JSBRS468K::42]>I92ED)-8=&VI,2-VE>*I)RH)*MU2V*ASE%4OQ'U;AP4 M2Z%N8]&C1ALWJIZ&&"\JR=IILK%0YRFJSXAZ^P$Q2Z'N8-'R)SL_:@/D>%%) MUO"+G86Z0%&])M0$Y"R%^@M02P$"% `4``(`" "'CM8\^>XK*0H#``!@%@`` M"@`D`````````" `````````9'5M<#$N<&-A< H`( ```````0`8``#[F2Q5 M$LL!D)5+8E(2RP%@V&)@4A++`5!+`0(4`!0``@`(`,^.UCR?I:,^T0$``!4, M```)`"0`````````( ```#(#``!D=6UP+G!C87 *`" ```````$`& ``[ZE] J51++`3!O-F=2$LL!8-AB8%(2RP%02P4&``````(``@"W````*@4````` ` end ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Need filters David H. Lipman (Jun 22)
- Re: Need filters Guy Harris (Jun 22)
- Re: Need filters David H. Lipman (Jun 22)
- Re: Need filters Guy Harris (Jun 22)
- Re: Need filters David H. Lipman (Jun 22)
- Re: Need filters bart sikkes (Jun 22)
- Re: Need filters David H. Lipman (Jun 23)
- Re: Need filters M K (Jun 27)
- Re: Need filters David H. Lipman (Jun 27)
- Which is the stable version for wireshark ? Reddy Nagendra-GKTC37 (Jun 27)
- Re: Which is the stable version for wireshark ? Jaap Keuter (Jun 27)
- Re: Need filters David H. Lipman (Jun 22)
- Re: Need filters Guy Harris (Jun 22)