WireShark Filter application Overview

When WireShark is used, the most common operation is to set the filter. of course, you can click Filter Express to select a Filter expression, or enter it in the Express edit box more quickly.
0 × 01 common expression Operators
Give a picture, which is more intuitive.
 

Is present: Yes
= ,! =, <,>, <=, >=: Equal... And so on, = is also replaced by eq
Contains: contains
Matches: Match
And, or, not: & |! Logical language, logical or, non-logical
0 × 02 expressions
The general structure is Protocal. Properties = XXX
You can also use the syntax to determine whether to use the filter script.
0 × 03 general Application Instances
1. IP address filtering example
Capture packets that meet the source address: ip. src = 192.168.0.1
Capture the packet that meets the target address: ip. dst = 192.168.0.1
Capture the packet that meets the source or target address: ip. addr = 192.168.0.1, or ip. src = 192.168.0.1 or ip. dst = 192.168.0.1
2. Port filtering example
Capture a single port: tcp. port = 80
Capture range port: udp. port> = 2048 and upd. port <= 65000
3. Examples of Protocal Filtering
Capture a single protocol: http
Capture multiple protocols: http or telnet
4. Examples of packet length and content filtering
Capture packages of a specific length: http. content_length <= 100
Capture a specific package: http. request. uri matches "blackh4t"
5. Use of advanced Filtering
Each one can be added with logical operators to form an advanced expression.
For example:
(Src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8
! (Arp. src = 192.168.1.1) and! (Arp. dst. proto_ipv4 = 192.168.1.243)
When the specific attributes of a specific protocol are unclear, you can view the manual. However, it is generally abbreviated in English, so it is easy to understand.
0 × 04 expression syntax Appendix
It mainly sorts out some common protocol or expression format usage www.2cto.com
[Src | dst] host Ether [src | dst] host <ehost> is a network address in angle brackets. src and dst are used to set the destination address or source address.
Gateway host [Src | dst] net <net> [{mask <mask >}| {len <len >}] <net> indicates a network address, src and dst can be used to indicate whether the network is a data packet of the destination address or source address. If "src/dst" is not displayed, all data packets are returned. You can add a subnet mask or use classless Inter-Domain Routing (CIDR.
[Tcp | udp] [src | dst] port <port> [tcp | udp] indicates the protocol type to be crawled and <port> specifies the port. Note that [tcp | udp] Must be before [src | dst.
Less | greater <length> captures fragmented data packets or data packets of a specified length. Less and greater correspond to small packets and large packages respectively.
Ip | ether proto <protocol> captures packets of the specified protocol <protocol> at the specified ip address or network address (ip | ether) on the data link layer.
Ether | ip broadcast | multicast captures broadcast packets or multicast packets on the specified network address or ip address.
0 × 05 Supplement
The filter script Syntax of Ettercap is almost the same. In addition, common full-featured multi-protocol sniffing tools include OmniPeek and the old Sniffer Pro .. I also pushed a small tool because I didn't find a particularly good syntax for packet capture of a specific process. Generally, I used commands like Netstat to find the PID and port of the corresponding process and then configure the filter, the appsnifer tool solves this problem well and needs it. net support.
If you have not made any mistakes, I hope you can correct them. hv fun
Author: DarkRay's BLoG .!