Wireshark filter syntax Summary

For application recognition, the data traffic generated is often used for analysis.

Packet Capture uses Wireshark to filter sessions and find the key stream when extracting features. The basic syntax of Wireshark filtering is summarized here for future testing. (My mind cannot remember anything)

Wireshark can be divided into protocol filtering and content filtering according to the filtering syntax.

For standard protocols, both coarse-grained filtering such as HTTP and fine-grained Filtering Based on protocol attribute values such as TCP are supported. port = 53, HTTP. request. method = "get ".

Content Filtering supports in-depth string matching filtering, such as HTTP contains "server" and matching filtering of values at specific offsets, such as TCP [] = 47: 45: 54.

Wireshark has two filters:

Capturefilters: used to determine what information is recorded in the capture results.
Displayfilters: used for searching in captured results.

The capture filter only supports protocol filtering. The display filter supports both protocol filtering and content filtering.

The two filters support different filter syntaxes.

Capture filter -- Filter settings based on the protocol information before capturing

Syntax:	Protocol	Direction	Host (s)	Value	Logical operations	Other expression
Example:	TCP	DST	10.1.1.1	80	And	Tcp dst 10.2.2.2 3128

Demo:

(Host 10.4.1.12 or SRC net 10.6.0.0/16) and tcp dst portrange 200-10000 and DST net 10.0.0.0/8

Capture all packets whose IP address is 10.4.1.12 or whose source IP address is in the network 10.6.0.0/16, whose tcpport number is between 200 and 10000, and whose destination IP address is in the network 10.0.0.0/8.

Field description:

Protocol (Protocol ):
Possible values: ether, FDDI, IP, ARP, RARP, decnet, Lat, SCA, moprc, mopdl, TCP and UDP.
If no protocol type is specified, all supported protocols are captured.
Note: The supported protocols are found in the help-manual pages-Wireshark filter of Wireshark.

Direction ):
Possible values: SRC, DST, Src and DST, SRC or DST
If no direction is specified, "src or DST" is used as the keyword by default.
"Host 10.2.2.2" is equivalent to "src or DST host 10.2.2.2.

Host (s ):
Possible values: net, port, host, portrange.
By default, "host" keyword, "src 10.1.1.1" is equivalent to "src host 10.1.1.1.

Logical operations (logical operation ):
Possible values: not, And, or.
No ("not") has the highest priority. Or ("or") and ("and") have the same priority. The operation is performed from left to right.
"Not TCP port 3128 and TCP port 23" are equivalent to "(not TCP port 3128) and TCP port 23.
"Not TCP port 3128 and TCP port 23" is not equivalent to "not (TCP port 3128 and TCP port 23.

Display filter -- Filters captured packets based on the protocol or packet content.

1. protocol filter syntax

Syntax:	Protocol	.	String 1	.	String 2	Comparison operator	Value	Logical operations	Other expression
Example:	HTTP		Request		Method	=	"Post"	Or	ICMP. Type

String1 and string2 are optional.

When filtering by protocol, you can filter by Protocol directly or by Protocol attribute value.

Filter by Protocol:

SNMP | DNS | ICMP

Displays SNMP, DNS, or ICMP packets.

Filter by Protocol attribute values:

IP. ADDR = 10.1.1.1

IP. SRC! = 10.1.2.3 or IP. dst! = 10.4.5.6

IP. src = 10.230.0.0/16

Displays packets from the 10.230 CIDR block.

TCP. Port = 25

Displays the packet with the source or destination tcpport number 25.

TCP. dstport = 25

The packet whose destination tcpport is 25 is displayed.

HTTP. Request. Method = "Post"

Displays HTTP packets in POST request mode.

HTTP. Host = "tracker.1ting.com"

Displays the HTTP packet with the requested domain name tracker.1ting.com.

TCP. Flags. SYN = 0 × 02

Displays packets that contain the tcp syn flag.

2. Content Filtering syntax

2.1 deep String Matching

Contains:Does the protocol, field or slice contain a value

Demo

TCP contains "HTTP"

Displays the TCP packets that contain the "HTTP" string in payload.

HTTP. Request. Uri contains "online"

The request URI contains an HTTP packet of "online.

2.2 filter the values at a specific offset

TCP [20:3] = 47: 45: 54/* In hexadecimal format, the TCP header is usually 20 bytes, so this is to filter the first three bytes of payload */

HTTP. Host [0: 4] = "trac"

Use of functions in filtering (upper, lower)

upper(string-field) - converts a string field to uppercase

lower(string-field) - converts a string field to lowercase

Demo
Upper (HTTP. Request. Uri) contains "online"


Wireshark filtering supports comparison operators and logical operators. bitwise operations can also be used for content filtering.

Assume that the filter syntax is correct and the expression background is green. If the expression is red, the expression is incorrect.

Exam:

Help-manual pages-Wireshark filter of Wireshark

Http://blog.csdn.net/yhwxxx/article/details/5643095

Http://tieba.baidu.com/p/739516717

Wireshark filter syntax Summary