Wireshark filter Rules

• Capture

One of the simplest examples:
Host 10.21.11.86 and 10.21.11.38
Used to crawl only the packets between the two hosts

Example:
Ethernet Address Example: Crawl all incoming and outgoing packets on the network address 08:00:08:15:ca:fe
Ether Host 08:00:08:15:CA:FE IP Address example: Crawl all incoming and outgoing packets on IP address 192.168.0.10
Host 192.168.0.10

Protocol Example: Crawl all packets that flow into the outgoing TCP protocol on port 80.
TCP port 80

Combination example: fetching all incoming packets except HTTP on 192.168.0.10
Host 192.168.0.10 and not TCP port 80 Note: If you use the keyword "host", "Port" to crawl TCP/IP packets, the result is to ignore all ARP packets.

Syntax for capturing filters

[x] x for optional content
A|b Select a or b
<x> x must be selected
XYZ xyz is a keyword that cannot be changed, required.

[NOT] primitive [and|or [not] primitive ...]
With, or, not = and, or, not

A Primitive is simply one of the following: [SRC|DST] Host In the angle brackets is a host IP or host name, with SRC, DST to set this is the destination address or source address.
This option can filter the host IP and name

Ether [SRC|DST] host <ehost>
In the angle brackets is a network address, using SRC, DST to set this is the destination address or source address.

Gateway Host

[SRC|DST] Net <net> [{mask <mask>}|{ Len <len>}]
<net> represents a network address that can be used by SRC, DST to indicate whether the network is a destination address or a packet of the source address. If there is no "SRC/DST", all packets are represented. You can choose to add a subnet mask or use an untyped inter-domain Routing (CIDR) approach.

[TCP|UDP] [SRC|DST] Port <port>
[TCP|UDP] is the choice of the type of protocol to crawl,<port> the specified port. It is important to note that [TCP|UDP] must precede [SRC|DST].

Less|greater <length>
Crawl fragmented packets or packets of a specified length. Less and greater correspond to small packets and large packets respectively.

Ip|ether Proto <protocol>
On the data link layer, crawl the specified protocol <protocol> packet on the specified IP address or network address (ip|ether).

Ether|ip Broadcast|multicast
Crawls a broadcast packet or multicast packet on the specified network address or IP address.

• Show

IP filtering: Include source IP or destination IP equals an IP
For example: Ip.src addr==192.168.0.208 or ip.src addr eq 192.168.0.208 Show Source IP
IP.DST addr==192.168.0.208 or ip.dst addr eq 192.168.0.208 Display Destination IP

Second, port filtering:
For example: Tcp.port EQ 80//Whether the port is source or target is displayed
Tcp.port = = 80
Tcp.port eq 2722
Tcp.port eq or udp.port eq 80
Tcp.dstport = = 80//target port 80 for TCP protocol only
Tcp.srcport = = 80//Explicit TCP protocol Source port 80

Filter Port range
Tcp.port >= 1 and Tcp.port <= 80

Third, protocol filtering: TCP
Udp
Arp
Icmp
http
Smtp
Ftp
Dns
Msnms
Ip
Ssl
Wait a minute
Exclude SSL packages, such as!SSL or not SSL

Four, packet length filter:
Like what:
Udp.length = = 26 This length refers to the UDP itself fixed length 8 plus UDP The sum of the packet
Tcp.len >= 7 refers to IP packets (The block of data under TCP), not including TCP itself
Ip.len = = 94 In addition to the Ethernet head fixed length 14, the other is Ip.len, that is, from the IP itself to the last
Frame.len = = 119 entire packet length, starting from ETH to the last

Five, HTTP mode filtering:
Example:
Http.request.method = = "GET"
Http.request.method = = "POST"
Http.request.uri = = "/img/logo-edu.gif"
HTTP contains "GET"
HTTP contains "HTTP/1."

Get package
Http.request.method = = "GET" && http contains "Host:"
Http.request.method = = "GET" && http contains "User-agent:"
Post Package
Http.request.method = = "POST" && http contains "Host:"
Http.request.method = = "POST" && http contains "User-agent:"
Response Package
HTTP contains "http/1.1 OK" && http contains "Content-type:"
HTTP contains "http/1.0 OK" && http contains "Content-type:"
Must contain the following
Content-type:

Six, connector and/or

Seven, expression:! (arp.src==192.168.1.1) and! (arp.dst.proto_ipv4==192.168.1.243)

Wireshark matching rules are powerful.
There is also a rule application that is about byte matching of the packet contents.
For example:
Match TCP Payload (actual data contents of TCP), first 6 bytes E3 11 00 00 00 48 (Electric Donkey Protocol)
20 is the length of the TCP header, 21-~ valid data for TCP
Tcp[20:6] = = e3:11:00:00:00:56 and tcp[29] = = 54

You can also matches match some regular expressions

Match UDP payload (actual data content of UDP), match 1th and 2nd bytes are 0xf1, 0x0, 4th and 5th bytes are 0x00, 0x00 (Electric Donkey Protocol) respectively
8 is the head length of UDP, 8-~ is the valid data of UDP packet
Udp[8:2] = = f1:0d and Udp[10:2] ==00:00

Wireshark filter Rules