Wireshark filter usage rules

I learned about Wireshark before and saw the introduction of filters in Wireshark's concise tutorial. In particular, new users do not understand the differences and functions of capturing filters and displaying filters. This article is quite well written and answers my questions. After all, reading English is quite difficult and I cannot understand it clearly. Specially transferred, by the way added some materials, special to share.

The most common problem with Wireshark is that when you use the default settings, you will get a lot of redundant information, so it is difficult to find the part you need.
This is why filters are so important. They help us quickly find the information we need in complex results.

Filter differences
Capturefilters: used to determine what information is recorded in the capture results. You need to set it before capturing.
Displayfilters: searches the captured results for details. They can modify the captured results as needed.
Which filter should I use?

The two filters have different purposes.
The capture filter is the first layer of the data filter. It is used to control the number of captured data to avoid generating too large log files.
The display filter is a more powerful (complex) filter. It allows you to quickly and accurately find the required records in the log file.

The syntax used by the two filters is completely different.

Capture Filter

Syntax: Protocol direction host (s) value logical operations other expression
Example: tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128

Protocol (Protocol ):
Possible values: ether, FDDI, IP, ARP, RARP, decnet, Lat, SCA, moprc, mopdl, TCP and UDP.
If no protocol is specified, all supported protocols are used by default.

Direction ):
Possible values: SRC, DST, Src and DST, SRC or DST
If the source or destination is not specified, "src or DST" is used as the keyword by default.
For example, "host 10.2.2.2" is the same as "src or DST host 10.2.2.2.

Host (s ):
Possible values: net, port, host, portrange.
If this value is not specified, the "host" keyword is used by default.
For example, "src 10.1.1.1" is the same as "src host 10.1.1.1.

Logical operations (logical operation ):
Possible values: not, And, or.
No ("not") has the highest priority. Or ("or") and ("and") have the same priority. The operation is performed from left to right.
For example,
"Not TCP port 3128 and TCP port 23" are the same as "(not TCP port 3128) and TCP port 23.
"Not TCP port 3128 and TCP port 23" are different from "not (TCP port 3128 and TCP port 23.

Example:

TCP/IP Port 3128

Displays the packets whose destination TCP port is 3128.

Ip src host 10.1.1.1

The packets whose source IP address is 10.1.1.1 are displayed.

Host 10.1.2.3

Displays the packets whose destination or source IP address is 10.1.2.3.

SRC portrange 2000-2500

Displays the packets whose source is UDP or TCP and the port number is within the range of 2000 to 2500.

Not imcp

Displays all packets except ICMP. (ICMP is usually used by the ping tool)

SRC host 10.7.2.12 and not DST net 10.200.0.0/16

The source IP address is 10.7.2.12, but the destination is not a packet of 10.200.0.0/16.

(SRC host 10.4.1.12 or SRC net 10.6.0.0/16) and tcp dst portrange 200-10000 and DST net 10.0.0.0/8

The source IP address is 10.4.1.12 or the source network is 10.6.0.0/16, the destination TCP port number is between 200 and 10000, And the destination is all packets in the network 10.0.0.0/8.

SRC net 192.168.0.0/24
SRC net 192.168.0.0 mask 255.255.255.0

The packets whose source IP address is 10.1.1.1 are displayed.

Note:

When using keywords as values, you need to use the Backslash "/".
"Ether proto/IP" (same as the keyword "ip ).
In this way, the IP protocol will be used as the target.

"Ip proto/ICMP" (same as the keyword "ICMP ).
In this way, ICMP, which is commonly used in the ping tool, is used as the target.

You can use the keyword "Multicast" and "broadcast" after "ip" or "Ether.
"No broadcast" is useful when you want to exclude broadcast requests.

Protocol (Protocol ):

You can use a large number of protocols that are located between layer 2nd and Layer 7 of the OSI model. Click "expression ..." You can see them.
For example, IP, TCP, DNS, and SSH

String1, string2 (optional ):

The subclass of the Protocol.
Click "+" next to the parent class and select its subclass.

Comparison operators (comparison operator ):

You can use six comparison operators:

English: C language: meaning:
Eq = equal
Ne! = Not equal
GT> greater
Lt <less
GE> = greater than or equal
Le <= less than or equal

Logical expressions (logical operator ):

English: C language: meaning:
And & logic and
Or | logical or
XOR ^ logic exclusive or
Not! Non-logical

Display Filter

Syntax: Protocol. String 1. String 2 Comparison
Operator value logical
Operations other
Expression
Example: FTP passive IP = 10.2.3.4 xor icmp. Type

Example:

SNMP | DNS | ICMP displays SNMP, DNS, or ICMP packets.
IP. ADDR = 10.1.1.1

Displays the packets whose source or destination IP address is 10.1.1.1.

IP. SRC! = 10.1.2.3 or IP. dst! = 10.4.5.6

Displays packets whose source is not 10.1.2.3 or whose destination is not 10.4.5.6.
In other words, the displayed package will be:
Source IP Address: Any IP address except 10.1.2.3; Target IP Address: Any
And
Source IP Address: Any; destination IP address: Any IP address except 10.4.5.6

IP. SRC! = 10.1.2.3 and IP. dst! = 10.4.5.6

Displays packets whose source is not 10.1.2.3 and the destination IP is not 10.4.5.6.
In other words, the displayed package will be:
Source IP Address: Any IP address except 10.1.2.3. It must also be met. Target IP Address: Any IP address except 10.4.5.6

TCP. Port = 25 indicates the packet whose source or destination TCP port number is 25.
TCP. dstport = 25 indicates the packet whose destination TCP port number is 25.
TCP. Flags displays packets containing the TCP flag.
TCP. Flags. SYN = 0 × 02 displays packets containing the tcp syn flag.

If the filter syntax is correct, the background of the expression is green. If the expression is red, the expression is incorrect.

 

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/yhwxxx/archive/2010/06/02/5643095.aspx