Filtering Traffic in Wireshark
search cancel

Filtering Traffic in Wireshark

book

Article ID: 297418

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

Taking a TCP dump can often be an important step in troubleshooting issues inside Tanzu Application Service (TAS). However, the nature of a TCP dump can lead to a large volume of data. Therefore it is important to know how to filter that information down more in order to speed up troubleshooting.

This guide is intended to demonstrate how to build an effective filter to observe specific traffic.


Resolution

Wireshark can use display filters to filter out specific protocols, addresses, and other syntax to make it easier to observe trends. It is important to note that display filters are not capture filters which are configured when taking a tcpdump; a display filter is for traffic which has already been captured. Display filters can use equality operators such as == (equal to), != (not equal to), || (or) etc.

Options:

Common Filters:

HTTP Response codes:

  • http.response.code
    • Example: http.response.code >= 500

TCP Flags:
Use: filtering tcp handshakes to review the formation of the TCP connection between 2 endpoints.

  • tcp.flags.<flag>
    • Example: tcp.flags.syn

IP Addresses:
Use: Filtering traffic to and from specific IPs. Often, when looking at packet captures on TAS components, multiple IPs will be communicating with each. Filtering by IP allows for more granular analysis.

  • IP Addresses can be filtered globally (ip.addr) or you can look specifically at the source (ip.src_host) or destination addresses (ip.dst_host)
    • Example: ip.src_host == 192.168.1.101

Ports:
Use: Filtering on ports allows you to further filter traffic. For example, if you know your app listens on a specific port which is unique, you could filter to only display those packets.

  • TCP:
    • tcp.port
  • UDP: 
    • udp.port

SSL/TLS Tracking: 
Use: TLS/SSL is critical in securing traffic inside and outside of Tanzu Application Service. It is possible to filter specific TLS/SSL protocols to verify that a supported version is being passed.
Note: Only TLS versions 1.2 and 1.3 are currently supported by TAS.

  • ssl.record.version == <version number>
    • Version Numbers:
      • TLS 1.3: 0x0304
      • TLS 1.2: 0x0303
      • TLS 1.1 : 0x0302
      • TLS 1.0 : 0x0301
      • SSL 3.0 : 0x0300
Follow TCP Stream:
Use: Allows you to isolate the view to a single TCP session (this is often the most granular filtering possible).
  • Select a packet from your TCP stream then on the Menu Bar select Analyze > Follow > TCP Stream (a new window will appear, you can close this)
  • The main wireshark window will be limited to the sole TCP session


Powered by Wolken Software