Skip to content
This repository has been archived by the owner on Oct 15, 2022. It is now read-only.

Commit

Permalink
Merge pull request #3912 from adityatandon007/adityatandon/wireshark
Browse files Browse the repository at this point in the history 
New IA Wireshark Cheat Sheet
  • Loading branch information
@gautamkrishnar
gautamkrishnar authored Feb 6, 2017
2 parents e42aef2 + e10c681 commit 6cd3412
Showing 1 changed file with 233 additions and 0 deletions.
233 changes: 233 additions & 0 deletions share/goodie/cheat_sheets/json/wireshark.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,233 @@
{
"id": "wireshark_cheat_sheet",
"name": "Wireshark",
"description": "A network protocol analyzer",

"metadata": {
"sourceName": "Wireshark.org",
"sourceUrl" : "https://www.wireshark.org/docs/man-pages/wireshark-filter.html"
},

"aliases": [
"gui tshark"
],

"template_type": "reference",

"section_order": [
"Installation",
"Main Window Navigation",
"Comparison Operators Display Filter",
"Field Types Display Filter",
"Logical Operators Display Filter"
],

"sections": {
"Installation": [
{
"key": "Windows Installation",
"val": "Download wireshark from https://www.wireshark.org/download.html and execute the installer file"
},
{
"key": "Ubuntu Installation",
"val": "apt-get install wireshark"
}
],
"Main Window Navigation": [
{
"key": "[ Shift ] [ Tab ] / [ Tab ]",
"val": "Move between screen elements, e.g. from the toolbars to the packet list to the packet detail"
},
{
"key": "[ ↓ ]",
"val": "Move to the next packet or detail item"
},
{
"key": "[ ↑ ]",
"val": "Move to the previous packet or detail item"
},
{
"key": "[ Ctrl ] [ ↓ ] / [ F8 ]",
"val": "Move to the next packet, even if the packet list isn’t focused"
},
{
"key": "[ Ctrl ] [ ↑ ] / [ F7 ]",
"val": "Move to the previous packet, even if the packet list isn’t focused"
},
{
"key": "[ Ctrl ] [ . ]",
"val": "Move to the next packet of the conversation (TCP, UDP or IP)"
},
{
"key": "[ Ctrl ] [ , ]",
"val": "Move to the previous packet of the conversation (TCP, UDP or IP)"
},
{
"key": "[ ← ]",
"val": "In the packet detail, closes the selected tree item. If it’s already closed, jumps to the parent node"
},
{
"key": "[ → ]",
"val": "In the packet detail, opens the selected tree item"
},
{
"key": "[ Shift ] [ → ]",
"val": "In the packet detail, opens the selected tree item and all of its subtrees"
},
{
"key": "[ Ctrl ] [ → ]",
"val": "In the packet detail, opens all tree items"
},
{
"key": "[ Ctrl ] [ ← ]",
"val": "In the packet detail, closes all tree items"
},
{
"key": "[ Backspace ]",
"val": "In the packet detail, jumps to the parent node"
},
{
"key": "[ Return ] / [ Enter ]",
"val": "In the packet detail, toggles the selected tree item"
}
],
"Comparison Operators Display Filter": [
{
"key": "eq / [ == ]",
"val": "Equal Ex: ip.src == 10.0.0.5"
},
{
"key": "ne / [ != ]",
"val": "Not Equal Ex: ip.src != 10.0.0.5"
},
{
"key": "gt / [ > ]",
"val": "Greater than Ex: frame.len > 10"
},
{
"key": "lt / [ < ]",
"val": "Less than Ex: frame.len < 128"
},
{
"key": "ge / [ >= ]",
"val": "Greater than or equal to Ex: frame.len ge 0x100"
},
{
"key": "le / [ <= ]",
"val": "Less than or equal to Ex: frame.len <= 0x20"
},
{
"key": "contains",
"val": "Protocol, field or slice contains a value Ex: http contains \"https:\/\/www.wireshark.org\""
},
{
"key": "matches",
"val": "Protocol or text field matches Perl regualar expression Ex: wsp.user_agent matches \"(?i)cldc\""
},
{
"key": "bitwise_and / [ & ]",
"val": "Compare bit field value Ex: tcp.flags & 0x02"
}
],
"Field Types Display Filter" : [
{
"key": "Unsigned/Signed integer",
"val": "Can be 8, 16, 24, 32, or 64 bits (decimal,octal or hexadecimal) Ex: ip.len le 0x436"
},
{
"key": "Boolean",
"val": "It is present in the protocol decode only if its value is true Ex: +tcp.flags.syn+"
},
{
"key": "Text string",
"val": " Strings are enclosed in double quotes Ex: http.request.method == \"POST\""
},
{
"key": "Ethernet or MAC address",
"val": "eth.len, eth.src, eth.dst, eth.addr,eth.lg, eth.type, eth.trailer Ex: eth.dst == ff:ff:ff:ff:ff:ff"
},
{
"key": "WLAN (802.11)",
"val": "wlan.addr, wlan.ra, wlan.ta, wlan.da, wlan.sa, wlan.fc.type, wlan.fc.type_subtype, wlan.bssid, wlan.aid"
},
{
"key": "IPv4 address",
"val": "ip.addr, ip.checksum, ip.dst, ip.flags, ip.fragment, ip.host, ip.len, ip.id, ip.src, ip.ttl Ex: ip.src == 192.168.0.1"
},
{
"key": "IPv6 address",
"val": "ipv6.addr, ipv6.dst, ipv6.class, ipv6.fragment, ipv6.host, ipv6.src, ipv6.nxt, ipv6.flow, ipv6.version Ex: ipv6.addr == ::1"
},
{
"key": "ARP filter",
"val": "arp.dst.hw_mac, arp.hw.size, arp.hw_type, arp.opcode, arp.proto.size, arp.proto.type, arp.src.hw_mac, arp.src.proto_ipv4"
},
{
"key": "TCP filter",
"val": "tcp.ack, tcp.checksum, tcp.dstport, tcp.flags, tcp.flags.ack, tcp.flags.syn, tcp.flags.reset, tcp.len, tcp.srcport, tcp.dstport, tcp.seq"
},
{
"key": "UDP filter",
"val": "udp.checksum, udp.dstport, udp.srcport, udp.port, udp.length, udp.checksum_good, udp.checksum_bad"
},
{
"key": "Frame relay",
"val": "fr.becn, fr.control, fr.control.ftype, fr.control.p, fr.dc, fr.cr, fr.de, fr.dlci, fr.ea, fr.snaptype, fr.nlpid, fr.fecn, fr.snap.pid"
},
{
"key": "PPP filter",
"val": "ppp.address, ppp.direction, ppp.control, ppp.protocol"
},
{
"key": "MPLS filter",
"val": "mpls.bottom, mpls.cw.control, mpls.exp, mpls.label, mpls.oam.frequency, mpls.oam.function_type, mpls.oam.defect_type, mpls.ttl"
},
{
"key": "ICMP filter",
"val": "icmp.checksum, icmp.code, icmp.checksum_bad, icmp.ident, icmp.seq, icmp.type, icmp.mtu"
},
{
"key": "VTP filter",
"val": "vtp.code, vtp.md, vtp.md5_digest, vtp.md_len, vtp.seq_num, vtp.version, vtp.vlan_info.len, vtp.vlan_info.mtu_size, vtp.vlan_info.vlan_type"
},
{
"key": "ICMPv6",
"val": "icmpv6.code, icmpv6.checksum, icmpv6.checksum_bad, icmpv6.comp, icmpv6.identifier, icmpv6.option, icmpv6.type, icmpv6.option.length"
},
{
"key": "RIP filter",
"val": "rip.auth.passwd, rip.ip, rip.netmask, rip.metric, rip.family, rip.next_hop, rip.version, rip.command, rip.route_tag"
},
{
"key": "HTTP filter",
"val": "http.accept, http.authbasic, http.cache_control, http.connection, http.cookie, http.host, http.request, http.response, http.user_agent"
}
],
"Logical Operators Display Filter": [
{
"key": "and / [ && ]",
"val": "Logical AND Ex: ip.src==10.0.0.5 and tcp.flags.fin"
},
{
"key": "or / [ || ]",
"val": "Logical OR Ex: ip.scr==10.0.0.5 or ip.src==192.1.1.1"
},
{
"key": "xor / [ ^^ ]",
"val": "Logical XOR Ex: tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29"
},
{
"key": "not / [ ! ]",
"val": "Logical NOT Ex: not llc"
},
{
"key": "[...]",
"val": "Substring Operator Ex: eth.src[0:3] == 00:00:83 Ex: eth.src[1-2] == 00:83 Ex: eth.src[:4] == 00:00:83:00 Ex: eth.src[4:] == 20:20"
},
{
"key": "in",
"val": "Membership Operator Ex: tcp.port in {80 443 8080}"
}
]
}
}

0 comments on commit 6cd3412

Please sign in to comment.