Wireshark filtering rules

Wireshark filter syntax

 

1. Filter IP addresses, for example, the source IP address or target IP address is equal to an IP address.

Example:
IP. src eq 192.168.1.107 or IP. dst EQ 192.168.1.107
Or
IP. addr eq 192.168.1.107 // both the source IP address and target IP address are displayed.

2. Filter Port

Example:
TCP. Port EQ 80 // both the source and target ports are displayed.
TCP. Port = 80
TCP. Port EQ 2722
TCP. Port EQ 80 or UDP. Port EQ 80
TCP. dstport = 80 // display only the target port 80 of the TCP protocol
TCP. srcport = 80 // only display the source port 80 of the TCP protocol

UDP. Port EQS 15000

Filter port range
TCP. Port> = 1 and TCP. Port <= 80

3. Over-filter protocol

Example:
TCP
UDP
ARP
ICMP
HTTP
SMTP
FTP
DNS
Msnms
IP
SSL
OICQ
BOOTP
And so on

Exclude ARP packets, such! ARP or not ARP

4. Over-filter Mac

Too many filters by network Header
Eth. dst = A0: 00: 00: 04: C5: 84 // filter Mac
Eth. src eq A0: 00: 00: 04: C5: 84 // filter source MAC
Eth. dst = A0: 00: 00: 04: C5: 84
Eth. dst = A0-00-00-04-C5-84
Eth. addr eq A0: 00: 00: 04: C5: 84 // The source MAC and target Mac are both equal to A0: 00: 00: 04: C5: 84.

Less than <lt
Less than or equal to Le

Equal to EQ

Greater than GT
Greater than or equal to ge

Not equal to ne


5. Package Length Filtering

Example:
UDP. Length = 26 This length refers to the fixed length of UDP itself 8 plus the sum of the packets under UDP
TCP. Len> = 7 refers to the IP packet (the piece of data below TCP), excluding the TCP itself
IP. Len = 94 except for the fixed length 14 of the Ethernet header, all others are IP. Len, that is, from the IP address itself to the last
Frame. Len = 119 the length of the entire packet, starting from ETH to the end

ETH ---> ip or arp ---> TCP or UDP ---> da

Ta

6. http mode filtering

Example:
HTTP. Request. Method = "get"
HTTP. Request. Method = "Post"
HTTP. Request. uri = "/img/logo-edu.gif"
HTTP contains "get"
HTTP contains "HTTP/1 ."

// Get package
HTTP. Request. Method = "get" & HTTP contains "Host :"
HTTP. Request. Method = "get" & HTTP contains "User-Agent :"
// Post package
HTTP. Request. Method = "Post" & HTTP contains "Host :"
HTTP. Request. Method = "Post" & HTTP contains "User-Agent :"
// Response package
HTTP contains "HTTP/1.1 200 OK" & HTTP contains "Content-Type :"
HTTP contains "HTTP/1.0 200 OK" & HTTP contains "Content-Type :"
It must include the following:
Content-Type:


7. Over-filtering of TCP Parameters

TCP. Flags displays packets containing the TCP flag.
TCP. Flags. SYN = 0x02 displays packets containing the tcp syn flag.
TCP. window_size = 0 & TCP. Flags. Reset! = 1

8. filter content


TCP [20] indicates that it starts from 20 and takes 1 Character
TCP [20:] indicates that it starts from 20 and takes more than 1 character.
TCP [] indicates that it starts from 20 and takes 8 characters
TCP [offset, N]

UDP [] = 81: 60: 03 // offset 8 bytes, and then take 3 numbers. Is it equal to the data after =?
UDP [8] = 32 if I guess there is no error, it should be UDP [offset: Number of interceptions] = nvalue
Eth. ADDR [0: 3] = 00: 06: 5b

Example:
Determine whether the first three data packets under UPD are equal to 0x20 0x21 0x22
We all know that the fixed length of UDP is 8.
UDP [20:21:22] =

Determine whether the first three packets of TCP are equal to 0x20 0x21 0x22
TCP generally has a length of 20, but sometimes it is not 20.
TCP [20:21:22] =
If you want to get the most accurate, you should first know the TCP Length

Matches (matching) and contains (including a string) syntax
IP. src = 192.168.1.107 and UDP [8: 5] matches "\ x02 \ X12 \ X21 \ x00 \ x22"
IP. src = 192.168.1.107 and UDP contains 02: 12: 21: 00: 22
IP. src = 192.168.1.107 and TCP contains "get"
UDP contains 7c: 7c: 7d: 7d matches the UDP packet that contains 0x7c7c7d7d in payload, not necessarily from the first byte.

Example:
Obtain the local QQ login data packet (the first package = 0x02, the fourth and fifth packages are equal to 0x00x22, and the last package is equal to 0x03)
0x02 xx 0x00 0x22... 0x03
Correct
OICQ and UDP [8:] matches "^ \ x02 [\ x00-\ xFF] [\ x00-\ xFF] \ x00 \ x22 [\ x00-\ xFF] + \ x03 $"
OICQ and UDP [8:] matches "^ \ x02 [\ x00-\ xFF] {2} \ x00 \ x22 [\ x00-\ xFF] + \ x03 $ "/ /login package
OICQ and (UDP [8:] matches "^ \ x02 [\ x00-\ xFF] {2} \ x03 $" or TCP [8:] matches "^ \ x02 [\ x00-\ xFF] {2} \ x03 $ ")
OICQ and (UDP [8:] matches "^ \ x02 [\ x00-\ xFF] {2} \ x00 \ x22 [\ x00-\ xFF] + \ x03 $" or TCP [20:] matches "^ \ x02 [\ x00-\ xFF] {2} \ x00 \ x22 [\ x00-\ xFF] + \ x03 $ ")

QQ numbers are available not only at, but also other packages. The following conditions must be met (TCP also exists, but not done ):
OICQ and UDP [8:] matches "^ \ x02 [\ x00-\ xFF] + \ x03 $" and! (UDP [11: 2] = 00: 00) and! (UDP [11: 2] = 00: 80)
OICQ and UDP [8:] matches "^ \ x02 [\ x00-\ xFF] + \ x03 $" and! (UDP [11: 2] = 00: 00) and! (UDP [] = 00: 00: 00: 00)
Note:
UDP [] = 00: 00: 00: 00 indicates that the QQ number is blank.
UDP [] = indicates the command number is
UDP [11: 2] = 00: 80 indicates the command number is 00: 80
When the command number is 00: 80, the QQ number is 00: 00: 00: 00

Obtain the account that successfully logs on to MSN (the condition is "USR 7 OK", that is, the first three are equal to USR, and then go to OK through two 0x20, OK is followed by a character 0x20, followed by mail)
Usr xx OK [email protected]
Correct
Msnms and TCP/IP. ADDR = 192.168.1.107 and TCP [20:] matches "^ USR \ x20 [\ x30-\ x39] + \ x20ok \ x20 [\ x00-\ xFF] +"

9. DNS Mode Filtering


10. DHCP

This article describes Wireshark usage by taking the search for a forged DHCP server as an example. Add filter rules to the display filter,
Show all information not from the DHCP server and BOOTP. type = 0x02 (offer/ACK:
BOOTP. type = 0x02 and not IP. src = 192.168.1.1

11. MSN

Msnms & TCP [] = 20 // The fourth MSN packet is 0x20
Msnms & TCP [20]> = 41 & TCP [20] <= 5A & TCP [21:1]> = 41 & TCP [21:1] <= 5A & TCP [22: 1]> = 41 & TCP [22: 1] <= 5A
Msnms & TCP [20:3] = "USR" // find the packet whose command code is USR
Msnms & TCP [20:3] = "MSG" // find the packet whose command code is msg
TCP. Port = 1863 | TCP. Port = 80

How can I determine whether a packet contains a command-encoded MSN packet?
1) The port is 1863 or 80, for example, TCP. Port = 1863 | TCP. Port = 80
2) the first three of the data segments are uppercase letters, for example:
TCP [20]> = 41 & TCP [20] <= 5A & TCP [21:1]> = 41 & TCP [21:1] <= 5A & TCP [22]> = 41 & TCP [22:1] <= 5A
3) The fourth is 0x20, for example, TCP [] = 20.
4) MSN belongs to the TCP protocol, such as TCP

MSN Messenger protocol analysis
Http://blog.csdn.net/Hopping/archive/2008/11/13/3292257.aspx

MSN protocol analysis
Http://blog.csdn.net/lzyzuixin/archive/2009/03/13/3986597.aspx

More details
<Wireshark over-filter expression example>
Http://www.csna.cn/viewthread.php? Tid = 14614