Wireshark filter syntax Summary

For application recognition, data traffic generated by applications is often analyzed.

Wireshark is used to capture packets. When extracting features, session filtering is required to find the key stream. The basic syntax of Wireshark filtering is summarized here for your reference. (My mind cannot remember anything)

Wireshark can be divided into protocol filtering and content filtering according to the filtering syntax.

For standard protocols, both coarse-grained filtering such as HTTP and fine-grained Filtering Based on protocol attribute values such as TCP are supported. port = 53, HTTP. request. method = "get ".

Content Filtering supports in-depth string matching filtering, such as HTTP contains "server" and matching filtering of values at specific offsets, such as TCP [] = 47: 45: 54.

Wireshark has two filters:

Capturefilters: used to determine what information is recorded in the capture results.
Displayfilters: used for detailed search in the captured results.

The capture filter is set before the capture and hold to determine the data to capture. The display filter is used to filter packet , facilitating stream tracking and troubleshooting.

The capture filter only supports protocol filtering. The display filter supports both protocol filtering and content filtering.

The two filters support different filter syntaxes.

Capture filter -- Filter settings based on the protocol information before capturing

Syntax:	Protocol	Direction	Host (s)	Value	Logical operations	Other expression
Example:	TCP	DST	10.1.1.1	80	And	Tcp dst 10.2.2.2 3128

Example:

(Host 10.4.1.12 or SRC net 10.6.0.0/16) and tcp dst portrange 200-10000 and DST net 10.0.0.0/8

Capture all packets whose IP address is 10.4.1.12 or whose source IP address is in the network 10.6.0.0/16, the destination IP's TCP port number is between 200 and 10000, And the destination IP address is in the network 10.0.0.0/8.

Field details:

Protocol (Protocol ):
Possible values: ether, FDDI, IP, ARP, RARP, decnet, Lat, SCA, moprc, mopdl, TCP and UDP.
If no protocol type is specified, all supported protocols are captured by default.
Note: The supported protocols are found in the help-manual pages-Wireshark filter of Wireshark.

Direction ):
Possible values: SRC, DST, Src and DST, SRC or DST
If no direction is specified, "src or DST" is used as the keyword by default.
"Host 10.2.2.2" is equivalent to "src or DST host 10.2.2.2.

Host (s ):
Possible values: net, port, host, portrange.
The "host" keyword is used by default. "src 10.1.1.1" is equivalent to "src host 10.1.1.1.

Logical operations (logical operation ):
Possible values: not, And, or.
No ("not") has the highest priority. Or ("or") and ("and") have the same priority. The operation is performed from left to right.
"Not TCP port 3128 and TCP port 23" are equivalent to "(not TCP port 3128) and TCP port 23.
"Not TCP port 3128 and TCP port 23" is not equivalent to "not (TCP port 3128 and TCP port 23.

Display filter -- Filters captured packets based on the protocol or packet content.

1. protocol filter syntax

Syntax:	Protocol	.	String 1	.	String 2	Comparison operator	Value	Logical operations	Other expression
Example:	HTTP		Request		Method	=	"Post"	Or	ICMP. Type

String1 and string2 are optional.

When filtering by protocol, you can filter by Protocol directly or by Protocol attribute values.

Filter by Protocol:

SNMP | DNS | ICMP

Displays SNMP, DNS, or ICMP packets.

Filter by Protocol attribute values:

IP. ADDR = 10.1.1.1

IP. SRC! = 10.1.2.3 or IP. dst! = 10.4.5.6

IP. src = 10.230.0.0/16

Displays packets from the 10.230 CIDR block.

TCP. Port = 25

Displays the packets whose source or destination TCP port number is 25.

TCP. dstport = 25

Displays the packets whose destination TCP port is 25.

HTTP. Request. Method = "Post"

Displays HTTP packets in POST request mode.

HTTP. Host = "tracker.1ting.com"

Displays the HTTP packet with the requested domain name tracker.1ting.com.

TCP. Flags. SYN = 0 × 02

Displays packets containing the tcp syn flag.

2. Content Filtering syntax

2.1 deep String Matching

Contains:Does the protocol, field or slice contain a value

Example

TCP contains "HTTP"

Displays the TCP packets whose payload contains the "HTTP" string.

HTTP. Request. Uri contains "online"

The request URI contains an HTTP packet of "online.

2.2 filter the values at a specific offset

TCP [20:3] = 47: 45: 54/* In hexadecimal format, the TCP header is generally 20 bytes, so this is to filter the first three bytes of payload */

HTTP. Host [0: 4] = "trac"

Use of functions in filtering (upper, lower)

upper(string-field) - converts a string field to uppercase

lower(string-field) - converts a string field to lowercase

Example
Upper (HTTP. Request. Uri) contains "online"

Wireshark filtering supports comparison operators and logical operators. bitwise operations can also be used for content filtering.

If the filter syntax is correct, the background of the expression is green. If the expression is red, the expression is incorrect.

Refer:

Help-manual pages-Wireshark filter of Wireshark

Http://blog.csdn.net/yhwxxx/article/details/5643095

Http://tieba.baidu.com/p/739516717