Table of Contents
- Introduction
- Practical examples on building Wireshark filters using ChatGPT
- What to do when the ChatGPT provided filter errors out ?
- Conclusion
Introduction
In our last article we covered how to use the ChatGPT to build tcpdump filters for packet capture. In this article we will cover how to filter the displayed packets in the wireshark packet analysis tool using ChatGPT provided filters.
If you happened to have missed our earlier article on how to build tcpdump filters using CHatGPT , please check this link
Practical examples on building Wireshark filters using ChatGPT
Simple Wireshark filter request to ChatGPT
In this example we were asking ChatGPT to build a simple filter for Wireshark packet analysis to find packets which has ip add 192.168.12.1 either as source or destination
#Request to ChatGPT
Can you build a Wireshark filter to display packets with ip 192.168.12.1 either as source or destination
#Response from ChatGPT
Certainly! To display packets with the IP address192.168.12.1as either the source or destination, you can use the following Wireshark filter:ip.addr == 192.168.12.1
This filter will show all packets where the source or destination IP address matches192.168.12.1. You can apply this filter in Wireshark by clicking on the “Filter” field and entering the above expression. After applying the filter, Wireshark will display only the packets that meet the specified criteria.
Filters with both port and the Ip address
In this example we requested for filters which involves both Ip address and the Tcp port
#Request to ChatGPT
Can you build a Wireshark filter to display packets with ip 192.168.12.1 either as source or destination and also has BGP TCP port 179 either as source or destination
#Response from ChatGPT
To display packets with the IP address192.168.12.1as either the source or destination and with BGP TCP port 179 as either the source or destination, you can use the following Wireshark filter:(ip.addr == 192.168.12.1) and (tcp.port == 179)
This filter combines the IP address filter `(ip.addr == 192.168.12.1)` with the TCP port filter `(tcp.port == 179)`. It will show packets where the source or destination IP address matches192.168.12.1and the TCP port matches179(BGP’s default port).
You can apply this filter in Wireshark by clicking on the “Filter” field and entering the above expression. After applying the filter, Wireshark will display only the packets that meet both the IP address and TCP port criteria.
Filters with Mac address and Port
In this example we requested for filters which involves both mac address and the Tcp port
#Request to ChatGPT
Can you build a Wireshark filter to display packets with mac address 00:0a:00:0a:00:0a either as source or destination and also has BGP TCP port 179 either as source or destination
#Response from ChatGPT
To display packets with the MAC address `00:0a:00:0a:00:0a`as either the source or destination, and with BGP TCP port 179 as either the source or destination, you can use the following Wireshark filter:(eth.src == 00:0a:00:0a:00:0a or eth.dst == 00:0a:00:0a:00:0a) and tcp.port == 179
This filter combines the MAC address filter`(eth.src == 00:0a:00:0a:00:0a or eth.dst == 00:0a:00:0a:00:0a)`with the TCP port filter `tcp.port == 179`. It will show packets where the source or destination MAC address matches` 00:0a:00:0a:00:0a`and the TCP port matches 179 (BGP’s default port).
You can apply this filter in Wireshark by clicking on the “Filter” field and entering the above expression. After applying the filter, Wireshark will display only the packets that meet both the MAC address and TCP port criteria.
What to do when the ChatGPT provided filter errors out ?
In this example we asked ChatGPT to build a filter which displays all the TCP packets with the flags syn , ack , rst and fin . But, the first response from it didn’t work out , there was some error in the prepared filter . So , we asked for another option as it didn’t work out earlier. Then ChatGPT was able to prepare another filter which does the job. This time the filter worked
#Request to ChatGPT
Can you build a Wireshark filter to display syn , ack , rst and fin packets only
#Response from ChatGPT which had errors in filter
Certainly! To display SYN, ACK, RST, and FIN packets only, you can use the following Wireshark filter:tcp.flags & (tcp.syn | tcp.ack | tcp.rst | tcp.fin) != 0
This filter checks for packets where the TCP flags have any of the SYN, ACK, RST, or FIN bits set. It will display only the packets that have at least one of these flags set.
Apply this filter in Wireshark by clicking on the “Filter” field and entering the above expression. After applying the filter, Wireshark will display only the packets with the desired TCP flags (SYN, ACK, RST, or FIN).
#Asking ChatGPT for another option as the one provided earlier didn’t work this one is not working provide another format
#Response from ChatGPT ( this time the filter worked perfectly as per the request )
Apologies for the confusion. Here’s an alternative format for the Wireshark filter to display SYN, ACK, RST, and FIN packets only:(tcp.flags.syn == 1 or tcp.flags.ack == 1 or tcp.flags.reset == 1 or tcp.flags.fin == 1)
This filter checks each individual TCP flag(SYN, ACK, RST, and FIN)and displays packets that have any of these flags set to 1.
Apply this filter in Wireshark by clicking on the “Filter” field and entering the new expression. After applying the filter, Wireshark will display only the packets with the desired TCP flags(SYN, ACK, RST, or FIN).
Conclusion
With this experimentation of leveraging the ChatGPT to build the wireshark filters , shows us that ChatGPT can build almost all the filters with minimal errors.
If you are interested in more articles like this , please check our series of articles in ChatGPT for network engineers link below
https://discoveringsystems.com/category/chatgpt-for-network-engineers/