Last active
November 27, 2024 19:03
-
-
Save netravnen/e7309c5ed23eff8943b76298e3ae0016 to your computer and use it in GitHub Desktop.
Revisions
-
netravnen revised this gist
Nov 27, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,4 +4,4 @@ | --- | --- | `dns` | (payload only) | `udp.port eq 53 or tcp.port eq 53` | Unencrypted DNS | `udp.port eq 53 or tcp.port eq 53 or ipv6.nxt eq 44 or ip.flags.mf eq 1` | UDP-DNS fragmentation of the response packet -
Nov 27, 2024 . 1 changed file with 7 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,7 @@ ## Display Filters | Filter | Comment | --- | --- | `dns` | (payload only) | `udp.port eq 53 or tcp.port eq 53` | Unencrypted DNS | `udp.port eq 53 or tcp.port eq 53 or ipv6.nxt eq 44 or ip.flags.mf eq 1` | ... -
Nov 27, 2024 . 2 changed files with 14 additions and 14 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,14 @@ | Name | Filter | --- | --- | Destination | `eth.dst` | Geo Src City | `ip.geoip.src_city or ipv6.geoip.src_city` | Geo Dst City | `ip.geoip.dst_city or ipv6.geoip.dst_city` | VLAN-ID | `vlan.id` | Original Source triggering ICMP Error | `ipv6.dst` | ICMP type | `icmp.type or icmpv6.type` | TCP Stream-ID | `tcp.stream` | UDP Stream-ID | `udp.stream or quic.connection.number` | Hop Limit | `ipv6.hlim or ip.ttl` | DNS Query or Host or SNI | `dns.qry.name or http.host or tls.handshake.extensions_server_name` | Comment | `frame.comment` | HTTP/2 Stream-ID | `http2.streamid` This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,14 +0,0 @@ -
Nov 27, 2024 . 1 changed file with 14 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,14 @@ | Name | Filter | --- | --- | Destination | eth.dst | Geo Src City | ip.geoip.src_city or ipv6.geoip.src_city | Geo Dst City | ip.geoip.dst_city or ipv6.geoip.dst_city | VLAN-ID | vlan.id | Original Source triggering ICMP Error | ipv6.dst | ICMP type | icmp.type or icmpv6.type | TCP Stream-ID | tcp.stream | UDP Stream-ID | udp.stream or quic.connection.number | Hop Limit | ipv6.hlim or ip.ttl | DNS Query or Host or SNI | dns.qry.name or http.host or tls.handshake.extensions_server_name | Comment | frame.comment | HTTP/2 Stream-ID | http2.streamid -
Nov 27, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,7 +19,7 @@ # ### ENABLED BY DEFAULT ### # # Copied from https://youtu.be/wYTg4zkoUg8?t=2808 by Johannes Weber (weberdns.de) # @DNS [email protected] > 0.03@[65535,43690,0][0,0,0] @DNS very [email protected] > 1@[65535,21845,0][0,0,0] -
Nov 27, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,119 @@ # This file was created by Wireshark. Edit with care. # ### ENABLED BY DEFAULT ### # # These ColoringRules will mark all TCP Retransmissions (and other interesting TCP # events) with an easy to spot red background color. This makes it very easy to # spot where PacketLoss occurs for TCP based protocols and can be used to quickly # find performance issues related to PacketLoss. # # This filter requires that the preference for Analyzing TCP Sequence numbers has # been enabled, or else the filter will not work. Make sure that the preference # setting for this feature has been enabled: # # Copied from https://wiki.wireshark.org/TCP_Retransmissions_ColorFilter # @TCP [email protected]@[65534,13425,11528][0,0,0] # ########################################### # ### ENABLED BY DEFAULT ### # # Added 2024-11-27, copied from https://youtu.be/wYTg4zkoUg8?t=2808 by Johannes Weber (weberdns.de) # @DNS [email protected] > 0.03@[65535,43690,0][0,0,0] @DNS very [email protected] > 1@[65535,21845,0][0,0,0] @DNS dynamic [email protected] eq 5@[65535,43690,65535][0,0,0] @DNS@dns && !(icmp) && !(icmpv6)@[65535,65535,0][0,0,0] @IPv6 MLD [email protected] in {130,131,132,143}@[65535,65535,65535][51143,60652,59881] @ICMPv6 [email protected] eq 135 && ipv6.src eq ::@[43690,65535,0][0,0,0] @ICMPv6 NS/[email protected] in {135,136}@[0,65535,65535][0,0,0] @ICMPv6 RS/[email protected] in {133,134}@[43690,21845,65535][0,0,0] # ########################################### # ### DISABLED BY DEFAULT ### # # This is a link[0] to Wireshark entries on my blog. Included are various coloring # rules updates and font/icon size fixes for MacOSX/Linux. # # This is a general use set of Coloring Rules. I believe the colors are a little # easier to view than some of the other sets here. I have updated these to be # compatable with 0.10.13 as everything was being marked as red before. # # [0]: http://blog.tp.org/cgi-bin/mt-search.cgi?blog_id=3&tag=wireshark&limit=20 # # Copied from https://wiki.wireshark.org/Jay's_Coloring_Rules # !@Attn@ tcp.analysis.flags || tcp.checksum_bad || udp.checksum_bad || ip.fragment.error || ip.fragment.overlap.conflict || ip.fragment.overlap@[52428,17476,17476][65535,65535,65535] !@NW Change@(hsrp.state != 8 && hsrp.state !=16) || stp.type == 0x80 || ospf.msg != 1@[34952,34952,34952][65535,65535,0] !@NW [email protected] || cdp || hsrp || vrrp || ospf || bgp || eigrp || rip || gvrp || rtmp || igmp || eth.addr == 01:00:0c:cc:cc:cc@[34952,34952,34952][0,0,0] !@Core Srvcs@arp || ntp || dns || udp.port == 67 || udp.port == 68@[34952,34952,43690][0,0,0] !@[email protected] > 224.0.0.0@[39321,48059,39321][0,0,0] !@ICMP [email protected] range 3 5 || icmp.type eq 11@[56540,52017,56540][65535,0,0] !@ICMP@icmp@[56540,51914,56540][0,0,0] !@[email protected] & 0x04@[61717,47055,24609][0,0,0] !@[email protected] & 0x02@[30583,65535,30583][607,3474,607] !@[email protected] & 0x01@[65535,34952,34952][0,0,0] !@HTTP@http@[43734,43734,56797][0,0,0] !@NetBIOS@netbios || nbns || smb || srvloc || srvsvc || nbss@[36700,36700,61166][0,0,0] !@TCP@tcp@[53739,53739,65535][0,0,0] !@UDP@udp@[60948,60948,65535][0,0,0] # ########################################### # ### DISABLED BY DEFAULT ### # # This is a General use Color Filter. I use it to distinguish some of the most # used protocols on my network and my customers networks. # # Copied from https://wiki.wireshark.org/General_use_ColorFilter # !@NTP@ntp && !icmpv6 && !icmp@[65535,21845,65535][0,0,0] !@httptcp@ tcp.srcport == 80 or tcp.dstport == 80@[38385,62683,65534][0,0,0] !@DNS@dns@[19194,65534,32100][0,0,0] !@ARP@arp@[65202,65533,24456][0,0,0] !@icmp@icmp@[65534,8609,6712][0,0,0] !@STP@stp@[65534,65534,65534][8262,42200,9408] !@[email protected] == 139 or tcp.dstport == 139 or tcp.srcport == 138 or tcp.dstport == 138 or tcp.srcport == 137 or tcp.dstport == 137 or udp.srcport == 139 or udp.dstport == 139 or udp.srcport == 138 or udp.dstport == 138 or udp.srcport == 137 or udp.dstport == 137@[7961,5947,65534][64045,65535,62556] !@smtp@ tcp.srcport == 25 or tcp.dstport == 25@[65534,10208,51170][62059,62059,62059] !@pop@ tcp.srcport == 110 or tcp.dstport == 110@[65534,7268,54440][0,0,0] !@nntp@nntp@[49886,47154,63549][992,992,992] !@snmp@snmp@[62556,52730,2142][7636,32644,64045] !@igmp@igmp@[45944,5999,65534][0,0,0] !@telnet@ tcp.srcport == 23 or tcp.dstport == 23@[9274,47661,3862][0,0,0] !@tftp@tftp@[59220,3637,65534][0,0,0] !@ftp@ftp@[62721,6393,65534][0,13490,65038] !@Q931@q931@[14275,65534,25039][0,0,0] !@rsvp@rsvp@[60324,7655,65534][63348,65535,9481] !@CMIP@ udp.srcport == 164 or udp.dstport == 164@[47957,9122,9122][60977,63600,0] !@tcp@tcp@[40555,49091,65534][0,0,0] !@udp@udp@[39040,49264,65534][64542,64542,64542] # ########################################### # ### ENABLED BY DEFAULT ### # # The default # @Bad [email protected] && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack@[4626,10023,11822][63479,34695,34695] @HSRP State [email protected] != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092] @Spanning Tree Topology [email protected] == 0x80@[4626,10023,11822][65535,64764,40092] @OSPF State [email protected] != 1@[4626,10023,11822][65535,64764,40092] @ICMP [email protected] in { 3..5, 11 } || icmpv6.type in { 1..4 }@[4626,10023,11822][47031,63479,29812] @ARP@arp@[64250,61680,55255][4626,10023,11822] @ICMP@icmp || icmpv6@[64764,57568,65535][4626,10023,11822] @TCP [email protected] eq 1@[42148,0,0][65535,64764,40092] @SCTP [email protected]_type eq ABORT@[42148,0,0][65535,64764,40092] @IPv4 TTL low or unexpected@(ip.dst != 224.0.0.0/4 && ip.ttl < 5 && !(pim || ospf || eigrp || bgp || tcp.port==179)) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp || eigrp || rip || glbp))@[42148,0,0][60652,61680,60395] @IPv6 hop limit low or unexpected@(ipv6.dst != ff00::/8 && ipv6.hlim < 5 && !( ospf|| bgp || tcp.port==179)) || (ipv6.dst==ff00::/8 && ipv6.hlim not in {1, 64, 255})@[42148,0,0][60652,61680,60395] @Checksum [email protected]=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695] @SMB@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822] @HTTP@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822] @DCERPC@dcerpc@[51143,38807,65535][4626,10023,11822] @Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822] @TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822] @TCP@tcp@[59367,59110,65535][4626,10023,11822] @UDP@udp@[56026,61166,65535][4626,10023,11822] @Broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774] @System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578]