Wireshark is an essential artifact of network programming
1. Filter IP, such as source IP or destination IP equals an IP example:
IP.SRC eq 192.168.1.107 or IP.DST eq 192.168.1.107
Or
IP.ADDR eq 192.168.1.107//can display source IP and destination IP
2. Filter port
Example:
Tcp.port EQ 80//Whether the port is source or target is displayed
Tcp.port = = 80
Tcp.port eq 2722
Tcp.port eq or udp.port eq 80
Tcp.dstport = = 80//target port 80 for TCP protocol only
Tcp.srcport = = 80//Explicit TCP protocol Source port 80
Udp.port eq 15000
Filter Port range
Tcp.port >= 1 and Tcp.port <= 80
3. Filtering protocol
Example:
Tcp
Udp
Arp
Icmp
http
Smtp
Ftp
Dns
Msnms
Ip
Ssl
Oicq
BootP
Wait a minute
Exclude ARP packets, such as!arp or not ARP
4. Filter Mac
Filter too with mesh head
ETH.DST = = a0:00:00:04:c5:84//filter Target Mac
ETH.SRC eq a0:00:00:04:c5:84//filter Source Mac
eth.dst==a0:00:00:04:c5:84
eth.dst==a0-00-00-04-c5-84
ETH.ADDR eq a0:00:00:04:c5:84//filter source Mac and Target Mac are equal to a0:00:00:04:c5:84
Less than smaller than < LT
Less than or equal to Le
equals EQ
Greater than GT
Greater than or equal to GE
Unequal NE
5. Package Length Filter
Example:
Udp.length = = 26 This length refers to the UDP itself fixed length 8 plus UDP The sum of the packet
Tcp.len >= 7 refers to IP packets (The block of data under TCP), not including TCP itself
Ip.len = = 94 In addition to the Ethernet head fixed length 14, the other is Ip.len, that is, from the IP itself to the last
Frame.len = = 119 entire packet length, starting from ETH to the last
ETH---> IP or arp---> TCP or UDP---> data
6. HTTP Mode filtering
Example:
Http.request.method = = "GET"
Http.request.method = = "POST"
Http.request.uri = = "/img/logo-edu.gif"
HTTP contains "GET"
HTTP contains "HTTP/1."
Get package
Http.request.method = = "GET" && http contains "Host:"
Http.request.method = = "GET" && http contains "User-agent:"
Post Package
Http.request.method = = "POST" && http contains "Host:"
Http.request.method = = "POST" && http contains "User-agent:"
Response Package
HTTP contains "http/1.1 OK" && http contains "Content-type:"
HTTP contains "http/1.0 OK" && http contains "Content-type:"
Must contain the following
Content-type:
7. TCP parameter Filtering
TCP.FLAGS Displays the packet that contains the TCP flag.
Tcp.flags.syn = = 0x02 Displays packets containing the TCP SYN flag.
Tcp.window_size = = 0 && Tcp.flags.reset! = 1
8. Filter content
TCP[20] means starting from 20, taking 1 characters
TCP[20:] means starting from 20, take 1 characters or more
Tcp[20:8] means starting from 20, taking 8 characters
Tcp[offset,n]
UDP[8:3]==81:60:03//Offset 8 bytes, then 3 numbers, whether the data after = = = is equal.
udp[8:1]==32 If I guess not wrong, it should be udp[offset: Intercept number]=nvalue
eth.addr[0:3]==00:06:5b
Example:
Determine if the first three packets below the upd are equal to 0x20 0x21 0x22
We all know that UDP has a fixed length of 8
Udp[8:3]==20:21:22
Determine whether the first three packets of TCP packets equals 0x20 0x21 0x22
TCP in general, the length is 20, but there are not 20 when
Tcp[8:3]==20:21:22
If you want to get the most accurate, you should first know the TCP length
Matches (match) and contains (contains a string) syntax
Ip.src==192.168.1.107 and Udp[8:5] matches "\\x02\\x12\\x21\\x00\\x22"
ip.src==192.168.1.107 and UDP contains 02:12:21:00:22
ip.src==192.168.1.107 and TCP contains "GET"
UDP contains 7c:7c:7d:7d matches UDP packets that contain 0x7c7c7d7d in payload, not necessarily from the first byte.
Example:
Get local QQ Login packet (judging condition is the first packet ==0x02, fourth and fifth packets equals 0x00x22, the last packet equals 0x03)
0x02 xx xx 0x00 0x22 ... 0x03
That's right
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff][\\x00-\\xff]\\x00\\x22[\\x00-\\xff]+\\x03$"
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x00\\x22[\\x00-\\xff]+\\x03$"//Landing Bag
Oicq and (udp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x03$" or tcp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x03$")
Oicq and (udp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x00\\x22[\\x00-\\xff]+\\x03$" or tcp[20:] matches "^\\x02[\\x00-\\ xff]{2}\\x00\\x22[\\x00-\\xff]+\\x03$ ")
Not only 00:22 QQ number, other packages also have, to meet the following conditions (TCP also has, but did not do):
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff]+\\x03$" and! (udp[11:2]==00:00) and! (udp[11:2]==00:80)
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff]+\\x03$" and! (udp[11:2]==00:00) and! (udp[15:4]==00:00:00:00)
Description
UDP[15:4]==00:00:00:00 indicates that QQ number is empty
UDP[11:2]==00:00 indicates that the command number is 00:00
UDP[11:2]==00:80 indicates that the command number is 00:80
When the command number is 00:80, the QQ number is 00:00:00:00
Get MSN Login Success account (the condition is "usr 7 ok", that is, the first three is equal to USR, and then through two 0x20, to Ok,ok behind is a character 0x20, followed by mail)
USR xx OK mail@hotmail.com
That's right
Msnms and TCP and ip.addr==192.168.1.107 and tcp[20:] matches "^usr\\x20[\\x30-\\x39]+\\x20ok\\x20[\\x00-\\xff]+"
9. DNS Mode filtering
Ten. DHCP
To look for a fake DHCP server, for example, describes the use of Wireshark. Add filter rules to the display filter,
Displays all information that is not from the DHCP server and bootp.type==0x02 (offer/ack):
BOOTP.TYPE==0X02 and not ip.src==192.168.1.1
11.msn
Msnms && tcp[23:1] = = 20//Fourth one is 0x20 MSN packet
Msnms && tcp[20:1] >= && tcp[20:1] <= 5A && tcp[21:1] >=/tcp[21:1] <= 5 a && tcp[22:1] >= && tcp[22:1] <= 5A
Msnms && tcp[20:3]== "usr"//Find the command code is a data packet of USR
Msnms && tcp[20:3]== "MSG"//Find the command encoding is MSG packet
Tcp.port = = 1863 | | Tcp.port = = 80
How can I tell if a packet is an MSN packet that contains a command code?
1) port 1863 or 80, for example: Tcp.port = = 1863 | | Tcp.port = = 80
2) The first three of the data is capital letters, such as:
Tcp[20:1] >= && tcp[20:1] <= 5A && tcp[21:1] >= && tcp[21:1] <= 5A && TC P[22:1] >= && tcp[22:1] <= 5A
3) Fourth for 0x20, such as: tcp[23:1] = = 20
4) MSN is part of the TCP protocol, such as TCP