I’m a big fan of WireShark but recently found myself using Microsoft Network Monitor more as we have it installed on a lot of Web servers. Here is a list of filters that i found useful. Some of these filters can be found on the Microsoft blog.
IPV4 Filters:
//Filter to show only ICMP packets from a source IP
ipv4.SourceAddress == 192.168.11.44 AND ICMP
//Filter on source IPv4 address.
IPv4.SourceAddress == 192.168.11.1
//Filter on IPv4 address (source or destination).
IPv4.Address == 192.168.0.1
//View IPv4 traffic between a source and a destination node.
IPv4.Address==10.0.0.1 and IPv4.Address==10.0.0.222
//Show Retransmits
Property.TCPRetransmit == 1
Property.TCPSynRetransmit == 1
//Find a Web page string (URI or URL).
Contains(Http.Request.URI,”msn.com”)
//Hide RDP if the network trace was captured in a terminal session.
!(tcp.port==3389)
TLS/SSL Filters:
//Filter frames with SSL Handshake
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0x1
//TLS 1.x Client Hello filter, determine client and server
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello
//Show TLS Alerts
TLS.TlsRecLayer.TlsRecordLayer.ContentType== 0x15
//This filter will show packets which contain certificates exchanged in TLS negotiation <–View certificate filter
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0xb
Filter to show you a 3 way handshake
//Show all TCP SYN ACK Frames
TCP.Flags.Ack == 1 AND TCP.Flags.Syn == 1
Cipher Filters:
List of TLS Ciphers that can be used in the below:
https://testssl.sh/openssl-iana.mapping.html
//Filter to find TLS Client Hello’s which are offering ECDHE_RSA_WITH_AES_256_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher == 0xc014
//Filter to find TLS Client Hello’s which are offering ECDHE_RSA_WITH_AES_128_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher == 0xc013
//Filter to find TLS Client Hello’s which are offering ECDHE_ECDSA_WITH_AES_256_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher == 0xc0A
//Filter to find TLS Client Hello’s which are offering ECDHE_ECDSA_WITH_AES_256_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher == 0xc09