1. the capture expression of the capture expression Ethereal is actually a tcpdump expression syntax. The following is a brief introduction: The expression is a regular expression, and tcpdump uses it as a condition for filtering packets, if a packet meets the expression conditions, the packet will be captured. If no conditions are provided, all information packets on the network will be intercepted. In an expression, the following types of keywords are generally used. One is about the type of keywords, including host, net, and port. For example, host 210.27.48.2 indicates that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host. the second type is the key words for determining the transmission direction, including SRC, DST, DST or SRC, DST and SRC, which indicate the transmission direction. For example, Src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and DST net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the SRC or DST keyword is used by default. The third type is the protocol keyword, which mainly includes FDDI, IP, ARP, RARP, TCP, UDP, and other types. FDDI indicates a specific network protocol on FDDI (Distributed Optical Fiber Data Interface Network). In fact, it is an alias of "Ether". FDDI and ether have similar source and destination addresses, therefore, the FDDI protocol package can be processed and analyzed as the ether package. The other keywords indicate the Protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols. In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' | '; these keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples. (1) To intercept all packets received and sent by all 210.27.48.1 hosts: # tcpdump host 210.27.48.1 (2) intercept communication between the host 210.27.48.1 and the host 210.27.48.2 or 210.27.48.3, run the command # tcpdump host 210.27.48.1 and (210.27.48.2 or 210.27.48.3) (3) to obtain the IP package for all hosts except 210.27.48.1 and 210.27.48.2, run the command: # tcpdump IP host 210.27.48.1 and! 210.27.48.2 (4) to obtain the Telnet packet received or sent by the host 210.27.48.1, run the following command: # tcpdump TCP port 23 host 210.27.48.12. the display expression Ethereal is completely different from the capture expression. It adopts another syntax. The introduction is as follows: 1) check whether a field or protocol exists and use the Protocol name directly, for example, if you want to filter UDP, you can directly enter UDP in the filter box. 2) Because fields can be compared with values, comparison operators are also widely used,
| EQ |
= |
Equal |
| Ne |
! = |
Not equal |
| GT |
> |
Greater |
| Lt |
< |
Less |
| Ge |
> = |
Greater than or equal |
| Le |
<= |
Less than or equal |
3) Search and matching operators are useful when you need to search for a specified pattern in a large amount of data. The contains protocol. When a field or segment contains a value, the matches protocol or text string is set up to match a given Perl expression. The contains operator allows the filter to search for a series of characters, which can be strings, byte form or byte array form. For example, to search for a given http url in a captured file, you can: HTTP contains "http://www.wireshark.org" for example, to check whether the bitstream contains a specific byte array, can be as follows: RTP. payload contains A0: 0d: 95 matches allows the filter expression to be Perl Compatible. It is only used for protocols and protocol fields that can be expressed in text. 4) The case-sensitive Conversion Function Filter has two functions: upper and lower. The following is an example of upper (NCP. nds_stream_name) contains "macro" lower (mount. dump. hostname) = "angel" 5) protocol field type each protocol field is of the type, which is: unsigned integer signed integer Boolean ethernet address type (6 bytes) byte array IPv4 address IPv6 address IPX network number text string Double Precision Floating Point number. For example, to get a packet with a certain length, you can use the following syntax: frame. pkt_len> 10 frame. pkt_len> 012frame. pkt_len> 0xa is used to find any source route package. sr = 1 is used as a Boolean to determine the ethernet address and byte array in hexadecimal notation. You can use semicolons, commas, or dashes to separate eth. dst eq ff: FF aim. data = 0.1. 0. d FDDI. src = aa-aa echo. data = 7A IPv4 addresses can be expressed in the form of dot or host name. dst eq www.mit.edu IP. src = 192.168.1.16) for a text string or byte array field, you can define a filter expression using the slicing operator. Example: eth. SRC [0: 3] = 00: 00: 83http. the syntax of the content_type [0: 4] = "text" slicing operator is: [I: J] I = start of offset, j = length [I-j] I = start of offset, j = offset ended, including the boundary point. [I] I = offset start, length = 1 [: J] offset start = 0, length = J [I:] offset start = I, offset end = field end 7) type conversion if a field is a text string or byte array, it can be expressed in the most convenient way. For example, the following expression is equivalent to HTTP. request. method = "get" HTTP. request. method = 47.45.548) It is also feasible to operate the field defined by the bit field. You can operate on the integer protocol fields and byte arrays, such as TCP. flags & 0x02 is used to test whether the tcp syn package matches all TCP packets. flags Field Package with 0-2 bits. When used for slicing, the mask must be the same length as the slice 9) logical expressions are used to combine multiple test conditions, such as logical and, logical or and non-logical, the symbols are respectively &, | ,! Below are some examples: TCP. port = 80 and IP. src = 192.168.2.1 not llc http and frame [100-199] contains "Wireshark" (ipx.src.net = 0 xbad & IPX. SRC. node = 0.0.0.0.0.1) | IP
