1
00:00:00,500 --> 00:00:03,270
This is one of the main advantages of using Wireshark.

2
00:00:03,290 --> 00:00:07,520
It's clean simple style to display filtered packets.

3
00:00:07,550 --> 00:00:14,750
Wireshark display filters help filter out the matching packets and limit the number of packets displayed

4
00:00:14,750 --> 00:00:19,880
on a live capture or while analyzing a file with captured packets.

5
00:00:19,940 --> 00:00:27,050
Display filters are different from capture filters, and the syntax is slightly different and simpler

6
00:00:27,050 --> 00:00:28,230
than the capture filter.

7
00:00:28,250 --> 00:00:33,230
So to apply display filter, let's first start with the wireshark here.

8
00:00:34,690 --> 00:00:36,280
So the wireshark.

9
00:00:38,680 --> 00:00:39,730
And that's it.

10
00:00:39,760 --> 00:00:43,390
Now we will select the zero here.

11
00:00:43,510 --> 00:00:46,150
Let's actually make increase the font size a little bit.

12
00:00:46,150 --> 00:00:50,350
And now let's enter our hidden passwords.

13
00:00:50,350 --> 00:00:50,950
Right?

14
00:00:51,130 --> 00:00:55,960
Admin and password and Wireshark will capture it while password is active.

15
00:00:55,990 --> 00:00:56,680
That's it.

16
00:00:56,710 --> 00:01:02,440
Now we can stop the capturing here because we firstly, we will use the display filter here.

17
00:01:02,440 --> 00:01:12,250
So display filters are different from capture filters and the syntax is slightly different but simpler

18
00:01:12,580 --> 00:01:14,500
than capture filters.

19
00:01:14,500 --> 00:01:21,040
So to apply a display filter, simply you can add the filter text in the display filter box.

20
00:01:21,040 --> 00:01:27,940
And as you can see, it's written highlighted that it apply a display filter and you after writing your

21
00:01:27,940 --> 00:01:35,920
filter filter command, you can enter press the enter key or you can also apply for in on this button

22
00:01:35,920 --> 00:01:36,310
here.

23
00:01:36,310 --> 00:01:41,570
So when the display filter is removed from the filter box, all packets are shown here.

24
00:01:41,570 --> 00:01:47,570
So it display filter can filter matching on a protocol type or a specific fields in the protocol.

25
00:01:47,600 --> 00:01:54,860
Also, the filter can use logical, logical comparison operators and parentheses to create complex expressions.

26
00:01:54,860 --> 00:01:56,780
So now we will.

27
00:01:56,900 --> 00:01:58,790
We can only display this.

28
00:01:58,820 --> 00:02:01,700
We can also use ARP or ICMP.

29
00:02:02,090 --> 00:02:05,870
With this, we can select the packets of Type ARP or ICMP.

30
00:02:06,140 --> 00:02:13,340
Now we will apply some filter, which is a IP dot, and as you can see, it shows actually pretty much

31
00:02:13,340 --> 00:02:17,330
every filters or every commands when you enter some key.

32
00:02:17,330 --> 00:02:27,470
And here we will a IP address and here to equal to sign after that 192168 13.

33
00:02:27,740 --> 00:02:28,880
And.

34
00:02:32,060 --> 00:02:34,760
One for two here because one for two is our.

35
00:02:35,600 --> 00:02:37,190
Uh, this website's IP address.

36
00:02:38,840 --> 00:02:42,380
And then you can click on this button or press enter.

37
00:02:43,170 --> 00:02:43,740
With this.

38
00:02:43,740 --> 00:02:48,060
Here we are only displaying the packets.

39
00:02:48,570 --> 00:02:52,770
That's from the IP version, host of this IP here.

40
00:02:53,680 --> 00:03:03,820
So what this does is when you apply this filter in Wireshark, it will only display network packets

41
00:03:03,820 --> 00:03:10,720
that have the this IP address and it ends with 142 either as the source or destination IP address.

42
00:03:10,720 --> 00:03:18,040
And in other words, it filters out all the other network traffic and shows only packets associated

43
00:03:18,040 --> 00:03:19,810
with this IP address.

44
00:03:19,810 --> 00:03:22,840
So this type of filter can be useful in various scenarios.

45
00:03:22,840 --> 00:03:28,360
For example, if you are troubleshooting network connectivity issues or monitoring network traffic from

46
00:03:28,360 --> 00:03:35,530
a specific device, you can use this filter to focus on the packets exchanged with a particular IP address

47
00:03:35,530 --> 00:03:43,780
and it allows you to isolate and analyze the network traffic associated with the specific device or

48
00:03:43,780 --> 00:03:44,350
endpoint.

49
00:03:44,380 --> 00:03:49,510
Here we just have number of packets one, 234, 568, nine.

50
00:03:50,620 --> 00:03:51,370
That element.

51
00:03:52,290 --> 00:03:52,850
14.

52
00:03:53,370 --> 00:03:56,160
Yeah, it's 14 packets.

53
00:03:56,610 --> 00:04:00,060
Started from number 13 to 51.

54
00:04:00,300 --> 00:04:08,280
And we also have the SK, ip, sk here, ip.sk.

55
00:04:08,670 --> 00:04:14,850
But not to this means in expressions if you know programming slightly.

56
00:04:15,210 --> 00:04:17,730
This is the kind of expression that this means.

57
00:04:17,760 --> 00:04:19,520
Yes, and this means not to.

58
00:04:19,530 --> 00:04:22,080
That doesn't match with this IP address.

59
00:04:22,080 --> 00:04:26,820
And here we will do six, eight, 13 4142.

60
00:04:26,820 --> 00:04:30,810
And here now we are displaying.

61
00:04:32,260 --> 00:04:33,900
Another filter is packets.

62
00:04:33,910 --> 00:04:38,020
So this not equal to operator.

63
00:04:38,020 --> 00:04:42,220
So ternary and equal to operator means actually not equal to.

64
00:04:42,520 --> 00:04:47,200
And after that we are entering the specific IP address that we want to exclude.

65
00:04:47,200 --> 00:04:47,620
Right?

66
00:04:47,620 --> 00:04:53,200
So when you apply this filter in Wireshark, it will show all the network packets except Dos that have

67
00:04:53,200 --> 00:04:57,970
the IP address of this here that ends with 142.

68
00:04:57,970 --> 00:05:03,010
So it will show all network packets except that IP address.

69
00:05:03,490 --> 00:05:10,120
In other words, it filters out all the packets originating from that particular IP address and displays

70
00:05:10,120 --> 00:05:12,160
the rest of the network traffic.

71
00:05:12,160 --> 00:05:18,370
So this filter can be useful in scenarios where you want to focus on analyzing network traffic, but

72
00:05:18,400 --> 00:05:23,380
exclude packets coming from a specific device or source IP address.

73
00:05:23,380 --> 00:05:29,020
And it allows you to narrow down your analysis to the packets that do not originate from the specified

74
00:05:29,050 --> 00:05:30,190
IP address.

75
00:05:30,190 --> 00:05:35,570
And remember, the Wireshark provides a wide range of filtering options, allowing you to specify multiple

76
00:05:35,570 --> 00:05:39,890
criteria and combine filters to meet your specific needs.

77
00:05:39,890 --> 00:05:47,090
And we also have another filter named IP address, but in a slightly different way.

78
00:05:48,140 --> 00:05:48,710
Here.

79
00:05:48,710 --> 00:05:50,240
Let's write it down here.

80
00:05:50,240 --> 00:05:51,450
So IP.

81
00:05:52,760 --> 00:05:59,390
Let's delete this iPad here means address 192168.

82
00:06:00,920 --> 00:06:03,620
13.0 and 24.

83
00:06:03,770 --> 00:06:07,490
This is if you remember that from previous lecture there's actually subnet mask.

84
00:06:07,520 --> 00:06:08,570
This means.

85
00:06:11,270 --> 00:06:15,510
This will list all the IP address, all the possible IP addresses.

86
00:06:15,830 --> 00:06:21,290
Filter out all the possible IP addresses from 0 to 255.

87
00:06:22,010 --> 00:06:25,340
Now let's apply this filter by entering.

88
00:06:26,270 --> 00:06:26,750
Pressing.

89
00:06:26,750 --> 00:06:27,320
Enter.

90
00:06:27,740 --> 00:06:28,490
That's it.

91
00:06:33,080 --> 00:06:35,550
IP address two point.

92
00:06:36,790 --> 00:06:38,640
13 or.

93
00:06:42,000 --> 00:06:42,390
Here.

94
00:06:42,390 --> 00:06:44,730
Now, we will enter that IP address again.

95
00:06:45,210 --> 00:06:46,980
IP address here.

96
00:06:49,160 --> 00:06:54,410
Address here starts with 19192168..

97
00:06:54,860 --> 00:06:57,860
13.0 and 24.

98
00:07:00,950 --> 00:07:02,270
Now here.

99
00:07:06,850 --> 00:07:07,750
We are cops.

100
00:07:07,860 --> 00:07:09,540
We need to use two equal signs.

101
00:07:09,570 --> 00:07:10,110
Sorry.

102
00:07:10,500 --> 00:07:11,130
That's it.

103
00:07:12,070 --> 00:07:14,830
And here with this.

104
00:07:15,310 --> 00:07:15,820
That's it.

105
00:07:18,610 --> 00:07:25,480
We are applying this filter in Wireshark because it will capture and display network packets that have

106
00:07:25,480 --> 00:07:30,400
source or destination IP addresses with the specified subnet.

107
00:07:30,400 --> 00:07:35,640
So it allows you to focus on the network traffic occurring with that particular subnet here.

108
00:07:35,650 --> 00:07:41,410
So this filter can be useful in various situations as well, such as monitoring or troubleshooting network

109
00:07:41,410 --> 00:07:48,130
traffic within a specific network segment or identifying communication patterns with a particular subnet.

110
00:07:48,130 --> 00:07:53,980
In this case, it will, as I said, it will filter out the packages from zero.

111
00:07:54,280 --> 00:08:00,490
That IP addresses that from ends with 0 to 255.

112
00:08:01,200 --> 00:08:06,330
And we also lastly in this lecture, this is a beginner lecture.

113
00:08:06,330 --> 00:08:14,820
We also have TCP port here or TCP port here of 80 or UDP port.

114
00:08:14,850 --> 00:08:16,500
UDP port.

115
00:08:19,870 --> 00:08:20,260
Eight.

116
00:08:23,000 --> 00:08:23,360
Eight.

117
00:08:26,490 --> 00:08:34,950
And this TCP, TCP port 80 or UDP port equal equal 80 in Wireshark is used to capture and display network

118
00:08:34,950 --> 00:08:39,810
packets that have either TCP or UDP traffic on Port 80.

119
00:08:39,990 --> 00:08:49,260
So here this the first comment here, um, the filters packets that have TCP traffic on port 80.

120
00:08:49,350 --> 00:08:54,270
So port 80 is the default port for Http hypertext transfer protocol traffic.

121
00:08:54,270 --> 00:08:58,130
And this port is commonly used for web browsing.

122
00:08:58,140 --> 00:09:05,100
And this over here is a logical operator that allows combining multiple filter conditions, which in

123
00:09:05,100 --> 00:09:13,290
this case we combined UDP and TCP and UDP port equal equal 80.

124
00:09:13,650 --> 00:09:17,490
This filters the packets that have UDP traffic on port 80.

125
00:09:17,640 --> 00:09:23,400
UDP user datagram protocol is another transport protocol that can be used for various applications and

126
00:09:23,400 --> 00:09:28,300
port 80 is sometimes used for non-standard UDP services.

127
00:09:28,300 --> 00:09:33,520
So when you apply this filter in Wireshark, it will capture and display network packets that are either

128
00:09:33,550 --> 00:09:36,700
TCP or UDP packets on Port 80.

129
00:09:36,700 --> 00:09:46,360
So this can be useful when you want to specifically focus on Http or other other protocols that may

130
00:09:46,360 --> 00:09:47,490
use port 80.

131
00:09:47,530 --> 00:09:55,470
You can also change this port to 443 or whatever the port you want to filter out.

132
00:09:55,480 --> 00:10:03,160
So and as I said, it's worth mentioning that you can modify this filter or combine it with other filters

133
00:10:03,160 --> 00:10:09,670
to capture packets based on different criteria such as specific source or destination IP addresses,

134
00:10:09,670 --> 00:10:11,760
protocols, packet types, etcetera.

135
00:10:11,770 --> 00:10:18,640
So Wireshark provides a wide range of filtering options to meet various analysis requirements.