Wireshark Filtering Syntax Summary

Do application identification this piece is often used to analyze the data traffic generated by the application.

Grab the bag using Wireshark, extract features, to the session to filter, find the key stream, here summarizes the basic syntax of wireshark filtering, for their future reference. (The brain can't remember anything)

Wireshark filtering can be divided into protocol filtering and content filtering according to the filtering syntax.

For standard protocols, both coarse-grained filtering, such as HTTP, and fine-grained filtering based on protocol attribute values such as tcp.port==53, http.request.method== "GET" are supported.

Filtering of content, which supports both deep string matching filtering such as HTTP contains "Server", and matching filtering of values at specific offsets such as tcp[20:3] = = 47:45:54.

The Wireshark has two types of filters:

Capture Filter (capturefilters): Used to determine what information is recorded in the capture results.
Display Filter (displayfilters): Used for detailed lookups in the capture results.

The capture filter only supports protocol filtering, and the display filter supports both protocol filtering and content filtering.

The filter syntax that they support is different for both filters.

Capture Filter-- filter settings based on protocol related information before capturing

Syntax: Protocol Direction Host (s) Value Logical Operations Other expression

Example: Tcpdst 10.1.1.1 and TCP DST 10.2.2.2 3128

Example:

(host 10.4.1.12 or SRC net 10.6.0.0/16) and TCP DST Portrange 200-10000 and DST net 10.0.0.0/8

The capture IP is 10.4.1.12 or the source IP is in network 10.6.0.0/16, the TCP port number of the destination IP is between 200 and 10000, and the destination IP is in all packets within the network 10.0.0.0/8.

The fields are detailed:

Protocol (protocol):
Possible values: Ether, FDDI, IP, ARP, RARP, DECnet, lat, SCA, MOPRC, MOPDL, TCP and UDP.
If no protocol type is specified, the default is to capture all supported protocols.
NOTE: The supported protocols are found in Wireshark's help-manual pages-wireshark filter.

Direction (direction):
Possible values: src, DST, src and DST, src or DST
If you do not specify a direction, the default is "src or DST" as the keyword.
"Host 10.2.2.2″ is equivalent to" src or DST host 10.2.2.2″.

Host (s):
Possible values: NET, port, host, Portrange.
The "host" keyword is used by default, and "src 10.1.1.1″ is equivalent to" src host 10.1.1.1″.

Logical Operations (Logical operation):
Possible values: not, and, or.
No ("not") has the highest priority. or ("or") and with the same precedence as ("and"), the operation is performed from left to right.
"Not TCP port 3128 and TCP port 23″ are equivalent to" (not TCP port 3128) and TCP port 23″.
"Not TCP port 3128 and TCP port 23″ with" Not (TCP port 3128 and TCP port 23) "is not equal to the price.

Display Filter-- filtering the captured packets based on the protocol or the contents of the package

1. Protocol filtering Syntax

Syntax:Protocol [string 1 string 2] Comparison operator Value Logical Operations other expression

Example: http request method = = "POST" or Icmp.type

String1 and string2 are optional.

Filter by protocol, can be filtered directly through the protocol, but also according to the property values of the protocol filtering.

Filter by protocol:

SNMP | | DNS | | Icmp
Displays the SNMP or DNS or ICMP packets.

Filter by the property value of the agreement:

ip.addr = = 10.1.1.1

ip.src! = 10.1.2.3 or Ip.dst! = 10.4.5.6

IP.SRC = = 10.230.0.0/16
Displays packets from the 10.230 segment.

Tcp.port = = 25
Displays packets with a source or destination TCP port number of 25.

Tcp.dstport = = 25
The packet that displays the destination TCP port number is 25.

http.request.method== "POST"
An HTTP packet that shows how the post is requested.

Http.host = = "Tracker.1ting.com"
Displays the HTTP packet for which the requested domain name is tracker.1ting.com.

Tcp.flags.syn = = 0x02
Displays the packet that contains the TCP SYN flag.

2. Content filtering Syntax

2.1 Depth String match

contains :Does the Protocol, field or slice contain a value

Example

TCP contains "HTTP"
Displays a TCP packet containing the "HTTP" string in payload.

Http.request.uri contains "online"
The URI that displays the request contains the HTTP packet "online".

2.2 Filtering of values at specific offsets

Tcp[20:3] = = 47:45:54/ * 16 binary form, TCP header is generally 20 bytes, so this is the first three bytes of payload filter * /

Http.host[0:4] = = "Trac"

Use of functions in filtering (upper, lower)

Upper (String-field)-Converts a string field to Uppercaselower (String-field)-Converts a string field to lowercase

Example
Upper (Http.request.uri) contains "ONLINE"
Wireshark filtering supports comparison operators, logical operators, and bit operations when filtering content.

If the filter syntax is correct, the background of the expression is green. If it is red, it indicates that the expression is incorrect.

Wireshark Filtering Syntax Summary