We all know that Wireshark filters can be used to help you in your analysis and narrow down what you are looking for. But, with CloudShark, they present a new opportunity for use when sharing your captures with colleagues in order to both present the view you are looking at, or to help navigate to a section of the capture you want them to see. Here’s three tricks we use when getting around town in CloudShark.
Filter based on capture content
If you know there’s something in the capture you’re looking for immediately, and you want others to see what you’re thinking, you can use the filter ‘frame contains’ to search for a literal string that exists in the capture. Here’s a capture of one of us browsing www.cloudshark.org. We know that’s what we’re looking for, so we use the filter ‘
frame contains cloudshark’, which returns to us only those packets that contain the word ‘cloudshark’ in their payloads. Take a look at the capture here:
Notice that the URL includes the filter expression (formatted as a URL). This means whomever you share that link with will see what you see.
Filter based on capture number using a range
Sometimes CloudShark can be loading a lot of packets, and you want to start somewhere deep in the list. Some of our users get around this by using a filter range based on the packet number. In our example capture, we decided we want to find someone trying to download a particular png that we noticed with the filter above, but we want to include a range of packets around it to see what else was going on. Rather than scrolling through the entire set of packets, we can filter out a range using ‘
frame.number >= 3010 && frame.number <=3200’.
Using links embedded in annotations
You’ve used an annotation to point something out, but did you know you can embedd links in them too? Since the annotations use markdown syntax, you can use the same notation you use in, say, reddit.com, to create them including adding links. Links are made by using an [ open bracket and a ] closed bracket around the text you want to be the link, immediately followed by an ( open parenthesis and a ) closed parenthesis containing the URL you want to link. Since everything in CloudShark can by built as a URL, this allows you to link to other analysis tool views from the annotations.
In our example, you probably already saw the annotation we added to the download of that png. As you can see, the annotation includes a link to the HTTP object extraction of the image. Notice the URL there too!
Anyway, it’s neat finding new ways to use filters, particularly when your goal is sharing rather than just pouring over the packets yourself. Keep on packet surfing!