Packet Analysis

Overview

4 min read

The default view for looking at packet details is called the Decode Window.

The decode window is a deconstructed view of the capture file. By default, the first packet in the capture file is highlighted in the top frame. To load other packets within the capture file, click their corresponding row. The vertical scroll bar can be used to scroll through the entire list of packets. Note that CloudShark will load 400,000 packets at a time. Use a display filter or the navigation slider described below to load other packets from the capture file.

The middle frame shows a collapsed view of the various layers of the currently selected packet. The hardware layers are listed first, and then the Data Link and Networking layers, and finally the protocol itself. The bottom frame shows the hexadecimal contents of the packet.

When a layer in the middle pane is selected, the data representing that layer will be highlighted in the bottom pane. Individual fields within this layer can be selected further, which reduces the corresponding selection in the bottom pane.

Directly Linking to Capture Files

Capture files can be linked to directly using their CloudShark URL. The URL can be obtained from the address bar in the browser, or from the Sharing tab in the capture file’s info pop-up.

Capture files will only be visible to other CloudShark users and guests if the proper permissions are enabled. Please see the section on sharing capture files for more information.

Display Filters

CloudShark supports display filters and provides a filter box in the top right corner of the decoder window for this purpose. Display filters can be applied to help identify packets containing specific addresses, ports, protocols, applications, etc. in the capture file.

For example, the following filter displays only ARP and ICMP packets:

arp and icmp

To limit the display to only packets 100 through 499, enter:

frame.number>=100 and frame.number<500

CloudShark supports the same exact filter syntax as Wireshark. See this page for more information on display filter formats and examples.

Display filters can also be appended to the capture file URL as query strings. This allows capture files to be shared with a display filter automatically applied. For example, to display only FTP packets within a capture file, simply append the string ?filter=ftp to the URL.

When building URLs, be sure to properly encode them using something like the encodeURIComponent() JavaScript function.

String and Hex Search Using Display Filters

CloudShark’s decoder window supports all standard Wireshark display filters. There are many different filters that can be used to search for packets containing certain IP addresses, source or destination ports, protocols, etc.

One particularly useful filter that can be used to find packets containing arbitrary strings or hex data is the frame contains filter.

For example, to find all packets containing the ascii string “google”, apply this display filter (search strings are case sensitive):

frame contains "google"

Note that DNS records use various separators in place of literal dots “.”. As a result, to ensure that DNS packets appear when searching for domain names, the filter frame contains “google” should be used instead of frame contains “google.com”.

To search for a hex string the filter must include colons and omit the double quotes:

frame contains b0:75:0c

There are other variations of the frame contains filter that can be used to narrow the search down even more to specific parts of each frame:

eth contains b0:75:0c
tcp contains "Bob Smith"

Multiple display filters can be concatenated using logical operators. This is helpful when searching for packets of a specific protocol type containing certain strings. For example, to search only http or dns packets containing a text string, apply display filters like this:

http and frame contains "Bob Smith"

For more advanced search strings, the filter frame matches [regexp] can also be used with any regular expression.

Navigation slider

CloudShark includes a navigation tool in the header which displays a basic graph of the captured network traffic in packets per second. This tool allows the user to zoom in on specific parts of the capture file by dragging the sliders left and right through the graph.

With this tool a user can focus on specific points of interest in the file, such as points where there is a spike or dip in traffic. Note that this feature can also be used in conjunction with the display filter feature to drill down and quickly identify specific packets occurring within a certain portion of the capture file.

Analysis Tools

CloudShark’s decoder window includes a number of useful analysis tools which c an be accessed by clicking the Analysis Tools button in the top right corner of the toolbar.

See the section of Packet Analysis Features for more information on each tool and how to use the graphs to help analyze and visualize capture files.