Updated Wireshark configuration.

Author: dreibh

src/wireshark/colorfilters

@@ -77,22 +77,24 @@
 @[email protected]_type == 7 || sctp.chunk_type == 8 || sctp.chunk_type == 14@[65535,65535,14392][0,0,0]
 @[email protected]_type == 4 || sctp.chunk_type == 5@[52428,52428,65535][0,0,0]
 @[email protected]_type == 3@[59367,58339,59367][0,0,0]
-@Bad [email protected]@[0,0,0][65535,24415,24415]
-@HSRP State [email protected] != 8 && hsrp.state != 16@[0,0,0][65535,63222,0]
-@Spanning Tree Topology [email protected] == 0x80@[0,0,0][65535,63222,0]
-@OSPF State [email protected] != 1@[0,0,0][65535,63222,0]
-@ICMP [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 11@[0,0,0][0,65535,3598]
-@ARP@arp@[54998,59624,65535][0,0,0]
-@ICMP@icmp@[49858,49858,65535][0,0,0]
-@TCP [email protected] eq 1@[37008,0,0][65535,63222,32896]
-@Low [email protected] < 5@[37008,0,0][65535,65535,65535]
-@Checksum [email protected]_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad || udp.checksum_bad@[0,0,0][65535,24415,24415]
-@SMB@smb || nbss || nbns || nbipx || ipxsap || netbios@[65535,64250,39321][0,0,0]
-@HTTP@http || tcp.port == 80@[36237,65535,32639][0,0,0]
-@IPX@ipx || stp@[65535,58339,58853][0,0,0]
-@DCERPC@dcerpc@[51143,38807,65535][0,0,0]
-@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || gvrp || igmp || ismp@[65535,62451,54998][0,0,0]
-@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][0,0,0]
-@TCP@tcp@[59367,59110,65535][0,0,0]
-@UDP@udp@[28784,57568,65535][0,0,0]
-@Broadcast@eth[0] & 1@[65535,65535,65535][32896,32896,32896]
+@Bad [email protected] && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack@[4626,10023,11822][63479,34695,34695]
+@HSRP State [email protected] != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092]
+@Spanning Tree Topology  [email protected] == 0x80@[4626,10023,11822][65535,64764,40092]
+@OSPF State [email protected] != 1@[4626,10023,11822][65535,64764,40092]
+@ICMP [email protected] in { 3..5, 11 } || icmpv6.type in { 1..4 }@[4626,10023,11822][47031,63479,29812]
+@ARP@arp@[64250,61680,55255][4626,10023,11822]
+@ICMP@icmp || icmpv6@[64764,57568,65535][4626,10023,11822]
+@TCP [email protected] eq 1@[42148,0,0][65535,64764,40092]
+@SCTP [email protected]_type eq ABORT@[42148,0,0][65535,64764,40092]
+@IPv4 TTL low or unexpected@(ip.dst != 224.0.0.0/4 && ip.ttl < 5 && !(pim || ospf || eigrp || bgp || tcp.port==179)) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp || eigrp || rip || glbp))@[42148,0,0][60652,61680,60395]
+@IPv6 hop limit low or unexpected@(ipv6.dst != ff00::/8 && ipv6.hlim < 5 && !( ospf|| bgp || tcp.port==179)) || (ipv6.dst==ff00::/8 && ipv6.hlim not in {1, 64, 255})@[42148,0,0][60652,61680,60395]
+@Checksum [email protected]=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695]
+@SMB@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822]
+@HTTP@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822]
+@DCERPC@dcerpc@[51143,38807,65535][4626,10023,11822]
+@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822]
+@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822]
+@TCP@tcp@[59367,59110,65535][4626,10023,11822]
+@UDP@udp@[56026,61166,65535][4626,10023,11822]
+@Broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774]
+@System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578]

src/wireshark/decode_as_entries

@@ -0,0 +1,9 @@
+# "Decode As" entries file for Wireshark 4.7.0.
+#
+# This file is regenerated each time "Decode As" preferences
+# are saved within Wireshark. Making manual changes should be safe,
+# however.
+decode_as_entry: tcp.port,8999,(none),NetPerfMeter
+decode_as_entry: tcp.port,9000,S101,NetPerfMeter
+decode_as_entry: tcp.port,9001,(none),NetPerfMeter
+decode_as_entry: udp.port,9000,(none),NetPerfMeter

src/wireshark/dfilters

@@ -1,16 +1,22 @@
-"Ethernet address 00:00:5e:00:53:00" eth.addr == 00:00:5e:00:53:00
-"Ethernet type 0x0806 (ARP)" eth.type == 0x0806
-"Ethernet broadcast" eth.addr == ff:ff:ff:ff:ff:ff
-"No ARP" not arp
-"IPv4 only" ip
-"IPv4 address 192.0.2.1" ip.addr == 192.0.2.1
-"IPv4 address isn't 192.0.2.1 (don't use != for this!)" !(ip.addr == 192.0.2.1)
-"IPv6 only" ipv6
-"IPv6 address 2001:db8::1" ipv6.addr == 2001:db8::1
-"TCP only" tcp
-"UDP only" udp
-"Non-DNS" !(udp.port == 53 || tcp.port == 53)
-"TCP or UDP port is 80 (HTTP)" tcp.port == 80 || udp.port == 80
-"HTTP" http
-"No ARP and no DNS" not arp and !(udp.port == 53)
-"Non-HTTP and non-SMTP to/from 192.0.2.1" ip.addr == 192.0.2.1 and not tcp.port in {80 25}
+"NetPerfMeter Control Traffic" netperfmeter && (netperfmeter.message_type != 0x04) && (netperfmeter.message_type != 0x05)
+"NetPerfMeter Data Traffic" (netperfmeter.message_type == 0x04) || (netperfmeter.message_type == 0x05)
+"HiPerConTracer Traffic" hipercontracer
+"RSerPool Traffic" asap||enrp
+"RSerPool Traffic via SCTP + SCTP Control, without Monitoring" (sctp&&enrp&&(!((enrp.message_type==0x01)&&(!enrp.message_flags&0x01))))||(sctp&&(asap&&(((asap.message_type!=0x07)&&(asap.message_type!=0x08)&&(asap.message_type!=0x0b))||((asap.message_type==0x07)&&(asap.message_flags&0x01)))))||((!(asap||enrp))&&(sctp.chunk_type != 3)&&(sctp.chunk_type != 4)&&(sctp.chunk_type != 5))
+"RSerPool Traffic via SCTP, without Monitoring" (sctp&&enrp&&(!((enrp.message_type==0x01)&&(!enrp.message_flags&0x01))))||(sctp&&(asap&&(((asap.message_type!=0x07)&&(asap.message_type!=0x08)&&(asap.message_type!=0x0b))||((asap.message_type==0x07)&&(asap.message_flags&0x01)))))
+"RSerPool Traffic via SCTP" sctp&&(asap||enrp)
+"RSerPool Control Channel Traffic" (asap.message_type == 0x0b) || (asap.message_type == 0x0c) || (asap.message_type == 0x0d)
+"RSerPool Pool Element Traffic" (asap.message_type == 0x01) || (asap.message_type == 0x02) || (asap.message_type == 0x03) || (asap.message_type == 0x04)
+"RSerPool Pool User Traffic" (asap.message_type == 0x05) || (asap.message_type == 0x06) || (asap.message_type == 0x09)
+"RSerPool ASAP Traffic via SCTP, without Monitoring" sctp&&(asap&&(((asap.message_type!=0x07)&&(asap.message_type!=0x08)&&(asap.message_type!=0x0b))||((asap.message_type==0x07)&&(asap.message_flags&0x01))))
+"RSerPool ASAP Traffic via SCTP" sctp&&asap
+"RSerPool ENRP Traffic via SCTP, without Monitoring" sctp&&enrp&&(!((enrp.message_type==0x01)&&(!enrp.message_flags&0x01)))
+"RSerPool ENRP Traffic via SCTP" sctp&&enrp
+"RSerPool Home-Registrar Changes" sctp&&(asap&&(asap.message_type==0x07)&&(asap.message_flags&0x01))
+"RSerPool Registrar Takeovers" sctp&&((enrp&&((enrp.message_type==0x07)||(enrp.message_type==0x08)||(enrp.message_type==0x09))) || (asap&&(asap.message_type==0x07)&&(asap.message_flags&0x01)))
+"RSerPool Registrar Synchronizations" sctp&&enrp&&((enrp.message_type==0x02)||(enrp.message_type==0x03)||(enrp.message_type==0x05)||(enrp.message_type==0x06))
+"RSerPool Registrar Failure Handling" sctp&&((enrp&&((enrp.message_type==0x07)||(enrp.message_type==0x08)||(enrp.message_type==0x09)||(enrp.message_type==0x02)||(enrp.message_type==0x03))) || (asap&&(asap.message_type==0x07)&&(asap.message_flags&0x01)))
+"RSerPool Application CalcAppProtocol" calcappprotocol || (asap.message_type == 0x0b) || (asap.message_type == 0x0c)
+"RSerPool Application FractalGeneratorProtocol" fractalgeneratorprotocol || (asap.message_type == 0x0b) || (asap.message_type == 0x0c)
+"RSerPool Application PingPongProtocol" pingpongprotocol || (asap.message_type == 0x0b) || (asap.message_type == 0x0c)
+"RSerPool Application ScriptingServiceProtocol" ssp || (asap.message_type == 0x0b) || (asap.message_type == 0x0c)