Eric Partington

RSA NetWitness Query Syntax Compared to Wireshark Display Filters

Blog Post created by Eric Partington Employee on Aug 23, 2018

Wireshark has been around for a long time and the display filters that exist are good reference points to learn about network (packet) traffic as well as how to navigate around various parts of sessions or streams.

 

Below you will find a handy reference which allows you to cross-reference many of the common Wireshark filters with their respective RSA NetWitness queries. 

 

This is where I pulled the Wireshark display filters from:  DisplayFilters - The Wireshark Wiki 

 

Show only SMTP (port 25) and ICMP traffic:

WiresharkNetWitness
tcp.port eq 25 or icmpservice=25 || ip.proto=1,58 -> (icmp or ipv6 icmp)
tcp.dstport=25 || ip.proto=1,58 -> (icmp or ipv6 icmp)

 

Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:

WiresharkNetWitness
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16ip.src=192.168.0.0/16 && ip.dst=192.168.0.0/16
direction='lateral' (RFC1918 to RFC1918)

 

Filter on Windows -- Filter out noise, while watching Windows Client - DC exchanges

WiresharkNetWitness
smb || nbns || dcerpc || nbss || dnsservice=139,137,135,139,53

 

Match HTTP requests where the last characters in the uri are the characters "gl=se":

WiresharkNetWitness
http.request.uri matches "gl=se$"service=80 && query ends 'gl=se'

 

Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:

WiresharkNetWitness
ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sipservice=5060 && ip.src!=xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx

 

ip.addr == 10.43.54.65 equivalent to

WiresharkNetWitness
ip.src == 10.43.54.65 or ip.dst == 10.43.54.65ip.all=10.43.54.65
ip.src=10.43.54.65 || ip.dst=10.43.54.65

 

Here's where I pulled some additional filters for mapping:  HTTP Packet Capturing to debug Apache 

 

View all http traffic

WiresharkNetWitness
httpservice=80

 

View all flash video stuff

WiresharkNetWitness
http.request.uri contains "flv" or http.request.uri contains "swf" or http.content_type contains "flash" or http.content_type contains "video"service=80 && ( query contains 'flv' || query contains 'swf' || content contains 'flash' || content contains 'video')

 

Show only certain responses

WiresharkNetWitness
http.response.code == 404service=80 && error begins 404
service=80 && result.code ='404'
http.response.code==200service=80 && error !exists (200 are not explicitly captured)
service=80 && result.code !exists (200 are not explicitly captured)

 

Show only certain http methods

WiresharkNetWitness
http.request.method == "POST" || http.request.method == "PUT"service=80 && action='post','put'

 

Show only filetypes that begin with "text"

WiresharkNetWitness
http.content_type[0:4] == "text"service=80 && filetype begins 'text'
service=80 && filename begins 'text'

 

Show only javascript

WiresharkNetWitness
http.content_type contains "javascript"service=80 && content contain 'javascript'

 

Show all http with content-type="image/(gif|jpeg|png|etc)" §

WiresharkNetWitness
http.content_type[0:5] == "image"service=80 && content ='image/gif','image/jpeg','image/png','image/etc'

 

Show all http with content-type="image/gif" §

WiresharkNetWitness
http.content_type == "image/gif"service=80 && content ='image/gif'

 

Hope this is helpful for everyone and as always, Happy Hunting!

Outcomes