Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Need filters

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Tue, 22 Jun 2010 23:23:34 +0200
On 06/22/2010 10:52 PM, David H. Lipman wrote:
From: "Jaap Keuter"<jaap.keuter@xxxxxxxxx>

| Hi,

| You need a display filter?
| Just point and click; point to the packet with the protocol you don't want,
| right-click and add to filter.

| Thanks,
| Jaap

I'm kind of in the middle but here goes...
{ I say I am in the middle because it is not my website. }

This is a web site accepts malcious samples.  The site sandbozes and executes the malcious
samples and the sends a PCAP file of communication and a HTML file of activity.

The PCAP is full of Microsoft "noise" that doesn't have to do with the malware analysis.
The objective is to filter out the noise and generate a PCAP without said noise.  That
filtered PCAP and the HTML report are subsequently ZIPed and emailed to the malicious file
submitter.


Ah ok, you need a capture filter then? I assume you capture using libpcap.
A quick web search shows the following:

Microsoft Protocols
TCP PORT 139		tcp port 139
UDP PORT 137		udp port 137
UDP PORT 138		udp port 138
UDP PORT 445		udp port 445
SMB 			dst port 139 && tcp[13:1] & 18 = 2

which would result in
not (tcp port 139 or udp port 137 or udp port 138 or udp port 445)

But if you're interested in the HTTP protocol only, why not filter on that?
That would be: tcp port 80

Hope it helps.