Tag: Option packet double quotation mark host Network
Wireshark capturing packets that have been specified by IP
Capturing the filter capture before it is set in Capture option, capturing only eligible packages, can avoid generating large capture files and memory footprint, but does not fully replicate the network environment when testing.
Host 192.168.0.1//Fetch all packets received and sent by 192.168.0.1
SRC host 192.168.0.1//source address, all packets emitted by 192.168.0.1
DST host 192.168.0.1//destination address, all packets received by 192.168.0.1
SRC host hostname//filter by host name
Ether Host 80:05:09:03:e4:35//filter by MAC address
NET 192.168.0//network filtering, filtering the entire network segment
SRC Net 192.168
DST NET 192
Use "non/and/or" to create combined filters for more precise capture
Non -:! or "not" (remove double quotes)
And: && or "and"
Or: | | or "or"
Wirershark filtering Specifies an example of an IP transceiver packet:
Crawl all destination addresses are TCP data with 192.168.0.2 or 192.168.0.3 ports that are 80
(TCP port) and (DST host 192.168.0.2) or (DST host
192.168.0.3))//Capture filter
tcp.port==80&& (ip.dst==192.168.0.2| | ip.dst==192.168.0.3)//Display filter
Crawl all destination MAC addresses are 80:05:09:03:e4:35 ICMP data
(ICMP) and ((Ether DST host 80:05:09:03:e4:35)
ICMP && eth.dst==80:05:09:03:e4:35
Crawl all destination network is 192.168, but destination host is not 192.168.0.2 TCP data
(TCP) and (DST net 192.168) and (not DST host 192.168.0.2)
tcp&&ip.src==192.168.0.0/16&&! (ip.src==192.168.0.2)
Capturing communications from host 192.168.0.1 and host 192.168.0.2 or 192.168.0.3
Host 192.168.0.1 and (192.168.0.2 or 192.168.0.3)
ip.addr==192.168.0.1&& (ip.addr==192.168.0.2| | ip.addr==192.168.0.3)
Get host 192.168.0.1 except for packets that communicate with all hosts outside of host 192.168.0.2
Host 192.168.0.1 and! 192.168.0.2
ip.addr==192.168.0.1&&!ip.addr==192.168.0.2
Get Telnet packet received or issued by host 192.168.0.1, telnet using TCP 23 port
TCP port and host 192.168.0.1
tcp.port==23&&ip.addr==192.168.0.1
Wireshark filtering rules: IP packet filtering