The most widely used and universally available standard for filtering packets is the BPF syntax. What you use will depend on the tools you have available and level of granularity you need. There are several mechanisms available for filtering packet capture files down to something meaningful, including those that are built for that task and other tools that can be adapted for it. You can find the first three parts of this series here:
This isn’t meant to be a complete guide on filtering, but if you’re looking for something like that then be sure to check out my Practical Packet Analysis book or online course where I have an entire section dedicated to filtering.
In part four of this series, I’ll describe some different packet analysis tool filtering capabilities, some of the filters I use when whittling down PCAPs, and some tricks for applying them effectively. By using PCAP analysis tool filtering capabilities you can slowly tune out the things you don’t care about until you’re left with the important stuff, ultimately transforming the PCAP. While not quite as slow and painstaking a whittling, the process of slowly peeling back packets is also reductive. Yes, I know that’s a weird transition, but it’s true. I think about whittling often when I need to use a lot of filters to find the data I want in a packet capture. In either case, the transformation is quite impressive.
It might wind up as a toy for a child or a game call for a hunting trip. A craftsman chooses a lifeless piece of scrap wood and slowly carves slivers off of it until it takes an impressive form. Whittling is a lost art, but it’s a beautiful process.
0 kommentar(er)
