WEBVTT 00:00.500 --> 00:03.270 This is one of the main advantages of using Wireshark. 00:03.290 --> 00:07.520 It's clean simple style to display filtered packets. 00:07.550 --> 00:14.750 Wireshark display filters help filter out the matching packets and limit the number of packets displayed 00:14.750 --> 00:19.880 on a live capture or while analyzing a file with captured packets. 00:19.940 --> 00:27.050 Display filters are different from capture filters, and the syntax is slightly different and simpler 00:27.050 --> 00:28.230 than the capture filter. 00:28.250 --> 00:33.230 So to apply display filter, let's first start with the wireshark here. 00:34.690 --> 00:36.280 So the wireshark. 00:38.680 --> 00:39.730 And that's it. 00:39.760 --> 00:43.390 Now we will select the zero here. 00:43.510 --> 00:46.150 Let's actually make increase the font size a little bit. 00:46.150 --> 00:50.350 And now let's enter our hidden passwords. 00:50.350 --> 00:50.950 Right? 00:51.130 --> 00:55.960 Admin and password and Wireshark will capture it while password is active. 00:55.990 --> 00:56.680 That's it. 00:56.710 --> 01:02.440 Now we can stop the capturing here because we firstly, we will use the display filter here. 01:02.440 --> 01:12.250 So display filters are different from capture filters and the syntax is slightly different but simpler 01:12.580 --> 01:14.500 than capture filters. 01:14.500 --> 01:21.040 So to apply a display filter, simply you can add the filter text in the display filter box. 01:21.040 --> 01:27.940 And as you can see, it's written highlighted that it apply a display filter and you after writing your 01:27.940 --> 01:35.920 filter filter command, you can enter press the enter key or you can also apply for in on this button 01:35.920 --> 01:36.310 here. 01:36.310 --> 01:41.570 So when the display filter is removed from the filter box, all packets are shown here. 01:41.570 --> 01:47.570 So it display filter can filter matching on a protocol type or a specific fields in the protocol. 01:47.600 --> 01:54.860 Also, the filter can use logical, logical comparison operators and parentheses to create complex expressions. 01:54.860 --> 01:56.780 So now we will. 01:56.900 --> 01:58.790 We can only display this. 01:58.820 --> 02:01.700 We can also use ARP or ICMP. 02:02.090 --> 02:05.870 With this, we can select the packets of Type ARP or ICMP. 02:06.140 --> 02:13.340 Now we will apply some filter, which is a IP dot, and as you can see, it shows actually pretty much 02:13.340 --> 02:17.330 every filters or every commands when you enter some key. 02:17.330 --> 02:27.470 And here we will a IP address and here to equal to sign after that 192168 13. 02:27.740 --> 02:28.880 And. 02:32.060 --> 02:34.760 One for two here because one for two is our. 02:35.600 --> 02:37.190 Uh, this website's IP address. 02:38.840 --> 02:42.380 And then you can click on this button or press enter. 02:43.170 --> 02:43.740 With this. 02:43.740 --> 02:48.060 Here we are only displaying the packets. 02:48.570 --> 02:52.770 That's from the IP version, host of this IP here. 02:53.680 --> 03:03.820 So what this does is when you apply this filter in Wireshark, it will only display network packets 03:03.820 --> 03:10.720 that have the this IP address and it ends with 142 either as the source or destination IP address. 03:10.720 --> 03:18.040 And in other words, it filters out all the other network traffic and shows only packets associated 03:18.040 --> 03:19.810 with this IP address. 03:19.810 --> 03:22.840 So this type of filter can be useful in various scenarios. 03:22.840 --> 03:28.360 For example, if you are troubleshooting network connectivity issues or monitoring network traffic from 03:28.360 --> 03:35.530 a specific device, you can use this filter to focus on the packets exchanged with a particular IP address 03:35.530 --> 03:43.780 and it allows you to isolate and analyze the network traffic associated with the specific device or 03:43.780 --> 03:44.350 endpoint. 03:44.380 --> 03:49.510 Here we just have number of packets one, 234, 568, nine. 03:50.620 --> 03:51.370 That element. 03:52.290 --> 03:52.850 14. 03:53.370 --> 03:56.160 Yeah, it's 14 packets. 03:56.610 --> 04:00.060 Started from number 13 to 51. 04:00.300 --> 04:08.280 And we also have the SK, ip, sk here, ip.sk. 04:08.670 --> 04:14.850 But not to this means in expressions if you know programming slightly. 04:15.210 --> 04:17.730 This is the kind of expression that this means. 04:17.760 --> 04:19.520 Yes, and this means not to. 04:19.530 --> 04:22.080 That doesn't match with this IP address. 04:22.080 --> 04:26.820 And here we will do six, eight, 13 4142. 04:26.820 --> 04:30.810 And here now we are displaying. 04:32.260 --> 04:33.900 Another filter is packets. 04:33.910 --> 04:38.020 So this not equal to operator. 04:38.020 --> 04:42.220 So ternary and equal to operator means actually not equal to. 04:42.520 --> 04:47.200 And after that we are entering the specific IP address that we want to exclude. 04:47.200 --> 04:47.620 Right? 04:47.620 --> 04:53.200 So when you apply this filter in Wireshark, it will show all the network packets except Dos that have 04:53.200 --> 04:57.970 the IP address of this here that ends with 142. 04:57.970 --> 05:03.010 So it will show all network packets except that IP address. 05:03.490 --> 05:10.120 In other words, it filters out all the packets originating from that particular IP address and displays 05:10.120 --> 05:12.160 the rest of the network traffic. 05:12.160 --> 05:18.370 So this filter can be useful in scenarios where you want to focus on analyzing network traffic, but 05:18.400 --> 05:23.380 exclude packets coming from a specific device or source IP address. 05:23.380 --> 05:29.020 And it allows you to narrow down your analysis to the packets that do not originate from the specified 05:29.050 --> 05:30.190 IP address. 05:30.190 --> 05:35.570 And remember, the Wireshark provides a wide range of filtering options, allowing you to specify multiple 05:35.570 --> 05:39.890 criteria and combine filters to meet your specific needs. 05:39.890 --> 05:47.090 And we also have another filter named IP address, but in a slightly different way. 05:48.140 --> 05:48.710 Here. 05:48.710 --> 05:50.240 Let's write it down here. 05:50.240 --> 05:51.450 So IP. 05:52.760 --> 05:59.390 Let's delete this iPad here means address 192168. 06:00.920 --> 06:03.620 13.0 and 24. 06:03.770 --> 06:07.490 This is if you remember that from previous lecture there's actually subnet mask. 06:07.520 --> 06:08.570 This means. 06:11.270 --> 06:15.510 This will list all the IP address, all the possible IP addresses. 06:15.830 --> 06:21.290 Filter out all the possible IP addresses from 0 to 255. 06:22.010 --> 06:25.340 Now let's apply this filter by entering. 06:26.270 --> 06:26.750 Pressing. 06:26.750 --> 06:27.320 Enter. 06:27.740 --> 06:28.490 That's it. 06:33.080 --> 06:35.550 IP address two point. 06:36.790 --> 06:38.640 13 or. 06:42.000 --> 06:42.390 Here. 06:42.390 --> 06:44.730 Now, we will enter that IP address again. 06:45.210 --> 06:46.980 IP address here. 06:49.160 --> 06:54.410 Address here starts with 19192168.. 06:54.860 --> 06:57.860 13.0 and 24. 07:00.950 --> 07:02.270 Now here. 07:06.850 --> 07:07.750 We are cops. 07:07.860 --> 07:09.540 We need to use two equal signs. 07:09.570 --> 07:10.110 Sorry. 07:10.500 --> 07:11.130 That's it. 07:12.070 --> 07:14.830 And here with this. 07:15.310 --> 07:15.820 That's it. 07:18.610 --> 07:25.480 We are applying this filter in Wireshark because it will capture and display network packets that have 07:25.480 --> 07:30.400 source or destination IP addresses with the specified subnet. 07:30.400 --> 07:35.640 So it allows you to focus on the network traffic occurring with that particular subnet here. 07:35.650 --> 07:41.410 So this filter can be useful in various situations as well, such as monitoring or troubleshooting network 07:41.410 --> 07:48.130 traffic within a specific network segment or identifying communication patterns with a particular subnet. 07:48.130 --> 07:53.980 In this case, it will, as I said, it will filter out the packages from zero. 07:54.280 --> 08:00.490 That IP addresses that from ends with 0 to 255. 08:01.200 --> 08:06.330 And we also lastly in this lecture, this is a beginner lecture. 08:06.330 --> 08:14.820 We also have TCP port here or TCP port here of 80 or UDP port. 08:14.850 --> 08:16.500 UDP port. 08:19.870 --> 08:20.260 Eight. 08:23.000 --> 08:23.360 Eight. 08:26.490 --> 08:34.950 And this TCP, TCP port 80 or UDP port equal equal 80 in Wireshark is used to capture and display network 08:34.950 --> 08:39.810 packets that have either TCP or UDP traffic on Port 80. 08:39.990 --> 08:49.260 So here this the first comment here, um, the filters packets that have TCP traffic on port 80. 08:49.350 --> 08:54.270 So port 80 is the default port for Http hypertext transfer protocol traffic. 08:54.270 --> 08:58.130 And this port is commonly used for web browsing. 08:58.140 --> 09:05.100 And this over here is a logical operator that allows combining multiple filter conditions, which in 09:05.100 --> 09:13.290 this case we combined UDP and TCP and UDP port equal equal 80. 09:13.650 --> 09:17.490 This filters the packets that have UDP traffic on port 80. 09:17.640 --> 09:23.400 UDP user datagram protocol is another transport protocol that can be used for various applications and 09:23.400 --> 09:28.300 port 80 is sometimes used for non-standard UDP services. 09:28.300 --> 09:33.520 So when you apply this filter in Wireshark, it will capture and display network packets that are either 09:33.550 --> 09:36.700 TCP or UDP packets on Port 80. 09:36.700 --> 09:46.360 So this can be useful when you want to specifically focus on Http or other other protocols that may 09:46.360 --> 09:47.490 use port 80. 09:47.530 --> 09:55.470 You can also change this port to 443 or whatever the port you want to filter out. 09:55.480 --> 10:03.160 So and as I said, it's worth mentioning that you can modify this filter or combine it with other filters 10:03.160 --> 10:09.670 to capture packets based on different criteria such as specific source or destination IP addresses, 10:09.670 --> 10:11.760 protocols, packet types, etcetera. 10:11.770 --> 10:18.640 So Wireshark provides a wide range of filtering options to meet various analysis requirements.