Network grab tool Wireshark Common packaging filter rules

The difference between filters

Capture Filter (capturefilters): Used to determine what information is recorded in the capture results. Need to be set before starting capture.
Display Filter (displayfilters): Perform a detailed search in the capture results. They can be modified as soon as they get the results of the capture.
So what kind of filter should I use?
The purpose of the two types of filters is different.
The capture filter is the first layer of data passing through the filter, which controls the number of captured data to avoid generating too large log files.
The display filter is a more powerful (complex) filter. It allows you to quickly and accurately locate the required records in the log file.
The syntax used by the two filters is completely different.
Capture Filter
Grammar:
Protocol Direction Host (s) Value Logical Operations Other expression
Example:
TCP DST 10.1.1.1 and TCP DST 10.2.2.2 3128
Protocol (protocol):
Possible values: Ether, FDDI, IP, ARP, RARP, DECnet, lat, SCA, MOPRC, MOPDL, TCP and UDP.
If no particular agreement is specified, all supported protocols are used by default.
Direction (direction):
Possible values: src, DST, src and DST, src or DST
If the source or destination is not specifically specified, the default is "src or DST" as the keyword.
For example, "host 10.2.2.2″ is the same as" src or DST host 10.2.2.2″.
Host (s):
Possible values are: NET, port, host, Portrange.
If this value is not specified, the "host" keyword is used by default.
For example, "src 10.1.1.1″ is the same as" SRC host 10.1.1.1″.
Logical Operations (Logical operation):
Possible values: not, and, or.
No ("not") has the highest priority. or ("or") and with the same precedence as ("and"), the operation is performed from left to right.
For example
"Not TCP port 3128 and TCP port 23″ are the same as" (not TCP port 3128) and TCP port 23″.
"Not TCP port 3128 and TCP port 23″ are not the same as" not (TCP port 3128 and TCP port 23) ".
Example:
TCP DST Port 3128 displays packets for the destination TCP port of 3128.
IP src host 10.1.1.1 displays packets with a source IP address of 10.1.1.1.
Host 10.1.2.3 Displays the destination or packet with the source IP address 10.1.2.3.
SRC portrange 2000-2500 shows packets that originate from UDP or TCP, and the port number is within the range of 2000 to 2500.
Not IMCP shows all packets except ICMP. (ICMP is usually used by the Ping tool)
SRC host 10.7.2.12 and not DST net 10.200.0.0/16 display a source IP address of 10.7.2.12, but the destination is not a 10.200.0.0/16 packet.
(src host 10.4.1.12 or src net 10.6.0.0/16) and TCP DST Portrange 200-10000 and DST net 10.0.0.0/8 display source IP for 10.4.1.12 or source network for 10.6.0.0/16, the destination TCP port number is between 200 and 10000 and is intended to be in all packets within the network 10.0.0.0/8.
SRC Net 192.168.0.0/24
src Net 192.168.0.0 mask 255.255.255.0 display network packet for 192.168.0.0/24
Precautions: www.2cto.com
Use the backslash "\" when using the keyword as a value.
"Ether Proto \ip" (same as the keyword "IP").
This will be done with the IP protocol as the target.
"IP Proto \icmp" (the same as the keyword "ICMP").
This will be targeted with the ICMP commonly used by the Ping tool.
You can use the "multicast" and "broadcast" keywords after "IP" or "ether".
"No broadcast" is useful when you want to exclude broadcast requests.
Protocol (protocol):
You can use a large number of protocols located on the 2nd to 7th layer of the OSI model. You can see them when you click on the "Expression ..." button.
For example: Ip,tcp,dns,ssh
String1, String2 (optional):
Sub-class of the Protocol.
Click the "+" sign next to the relevant parent class, and then select its child class.
Display Filter
Example:
IPDSTPORT==3128 packet showing the destination TCP port is 3128
ipsrcport==3128 displaying packets with a source TCP port of 3128
ip.addr==10.1.1.1 display packets with address 10.1.1.1, whether the destination or the source
ip.src==10.1.1.1 Show packets with source address 10.1.1.1
ip.src!=10.1.1.1 Show packets with source address not 10.1.1.1
ip.dst==10.1.1.1 display packet with destination address 10.1.1.1
!ICMP Show all packets except ICMP
tcp.port<=1000&&tcp.port>=200 display TCP port number in 200-1000 packets
snmp| | icmp| | DNS display protocol is a packet of SNMP or ICMP or DNS
Displays the packet that contains the TCP flag.
Tcp.flags.syn = = 0x02 Displays packets containing the TCP SYN flag.
If the filter syntax is correct, the background of the expression is green. If it is red, it indicates that the expression is incorrect

Network grab tool Wireshark Common packaging filter rules