Wireshark Grab bag, filter

Check in http://blog.sina.com.cn/s/blog_5d527ff00100dwph.html

1. Capture Filter

The steps to set up the capture filter are:
-Choose capture, Options.
-Fill in the "Capture Filter" column or click "Capture
Filter button to make a name for your filter and save it so that you can continue to use the filter in future snaps.

In Filter name, enter the file name, filter string to enter the filtering strings, click OK after the string will be displayed in the capture filter in figure one.

or double-click the Capture column to modify it.

Protocol (protocol):
Possible values: Ether, FDDI, IP, ARP, RARP, DECnet, lat, SCA, MOPRC, MOPDL, TCP and UDP.
if no particular agreement is specified, all supported protocols are used by default.
Direction (direction):
Possible values: src, DST, src and DST, src or DST
if the source or destination is not specifically specified, the default is "src or DST" as the keyword.
For example, "host 10.2.2.2" is the same as "src or DST host 10.2.2.2".
Host (s):
possible values are: NET, port, host, Portrange.
If this value is not specified, the "host" keyword is used by default.
For example, "src 10.1.1.1" is the same as "src host 10.1.1.1".

Logical
Operations (Logical operation):
Possible values: not, and, or.

No ("not") has the highest priority. or ("or") and with the same precedence as ("and"), the operation is performed from left to right.
For example, "not TCP port 3128 and TCP port 23" is the same as "(not TCP port 3128) and TCP port 23".
"Not TCP port 3128 and TCP port 23" differs from "Not (TCP port 3128 and TCP port 23)".

Example:

TCP DST Port 3128 displays packets with the destination TCP port of 3128.

IP src host 10.1.1.1 displays packets with a source IP address of 10.1.1.1.

host 10.1.2.3 displays the destination or packet with the source IP address 10.1.2.3.

src portrange 2000-2500 shows packets from UDP or TCP, and the port number is within the range of 2000 to 2500.

Not IMCP shows all packets except ICMP. (ICMP is usually used by the Ping tool)

SRC host 10.7.2.12 and not DST net 10.200.0.0/16

The display source IP address is 10.7.2.12, but the destination is not a 10.200.0.0/16 packet.

(src host 10.4.1.12 or src net 10.6.0.0/16) and TCP DST Portrange 200-10000 and DST net 10.0.0.0/8

The display source IP is 10.4.1.12 or the source network is 10.6.0.0/16, the destination TCP port number is between 200 and 10000, and the purpose is to all packets within the network 10.0.0.0/8.

Precautions:
Use the backslash "\" when using the keyword as a value.
"Ether Proto \ip" (the same as the keyword "IP"). This will be targeted by the IP protocol.
"IP Proto \icmp" (the same as the keyword "ICMP"). This will be targeted by the ICMP used by the Ping tool.
You can use the "multicast" and "broadcast" keywords after "IP" or "ether".
"No broadcast" is useful when you want to exclude broadcast requests.

2. Display Filter

Data that is usually filtered by the capture filter is still very complex. At this point you can use the display filter for more detailed lookups.

It is more powerful than capturing filters, and does not need to be captured again when you want to modify filter conditions.

Grammar:

Protocol

.

String 1

.

String 2

Comparison operator

Value

Logical Operations

Other expression

Example:

Ftp

Passive

Ip

==

10.2.3.4

Xor

Icmp.type

Protocol (protocol):
You can use a large number of protocols located on the 2nd to 7th layer of the OSI model. You can see them when you click on the "Expression ..." button. For example: Ip,tcp,dns,ssh


You can also find the supported protocols in the locations shown below:

String1, String2 (optional):
sub-class of the Protocol. Click the "+" sign next to the relevant parent class, and then select its child class.  

Comparison operators (comparison operator):
You can use 6 comparison operators:

English:	C language wording:	Meaning:
eq	==	Equals
Ne	!=	Not equal to
Gt	>	Greater than
Lt	<	Less than
Ge	>=	Greater than or equal
Le	<=	Less than or equal

Logical Expressions (logical operator):

English:	C language wording:	Meaning:
and	&&	Logic and
Or	||	Logical OR
Xor	^^	Logical XOR or
Not	!	Logical Non-

A logical XOR or an exclusion that is well known by programmers. When it is used between the two conditions of a filter, only if and only if one of the conditions is satisfied,

Such a result will be displayed on the screen. Let's give an example: "Tcp.dstport xor Tcp.dstport 1025" only if the destination TCP port is 80 or

Such a packet will be displayed only if it originates from port 1025 (but cannot satisfy these two points at the same time).

Example:

SNMP | | dns | | ICMP Displays the SNMP or DNS or ICMP packets.

ip.addr = = 10.1.1.1 Displays packets with a source or destination IP address of 10.1.1.1.

ip.src! = 10.1.2.3 or Ip.dst! = 10.4.5.6 shows packets that are not 10.1.2.3 or are not intended for 10.4.5.6 purposes.

In other words, the packet shown will be: source IP: any other than 10.1.2.3; Destination IP: Any and source IP: any; destination IP: Except 10.4.5.6

ip.src! = 10.1.2.3 and Ip.dst! = 10.4.5.6 shows that the source is not 10.1.2.3 and the destination IP is not a packet of 10.4.5.6.

In other words, the displayed packet will be: SOURCE IP: Any other than 10.1.2.3, at the same time must be satisfied, Destination IP: except 10.4.5.6

Tcp.port = = Displays packets with a source or destination TCP port number of 25.

Tcp.dstport = = The packet that displays the destination TCP port number is 25.

tcp.flags Displays the packet that contains the TCP flag.

Tcp.flags.syn = = 0x02 Displays packets containing the TCP SYN flag.

If the filter syntax is correct, the background of the expression is green. If it is red, it indicates that the expression is incorrect.

	The expression is correct
	An expression error

Wireshark Grab bag, filter