WireShark network packet filtering

1. Filter IP, such as source IP or destination IP equals an IP
Example:
ip.src eq 192.168.1.107 or IP.DST eq 192.168.1.107
or
ip.addr eq 192.168. 1.107//can display source IP and destination IP

2. Filter Port
Example:
tcp.port EQ 80//Whether the port is a source or a target display
Tcp.port =
Tcp.port eq 2722
Tcp.port eq. or udp.port eq.
Tcp.dstport = = 80//The target port of the TCP protocol is more than
Tcp.srcport = 80//Only the source port of the TCP protocol is explicitly 80< br>
Udp.port eq 15000

Filter port range
Tcp.port >= 1 and Tcp.port <=

3. Filter protocol
Example:
TCP
UDP
ARP
ICMP
http
SMTP
FTP
DNS
MSNMS
IP
SSL
OICQ
BOOTP
et cetera

Exclude ARP Packets , such as!arp   or    not ARP

4. Filter Mac
too with Web header filtering
Eth.dst = = a0:00:00:04:c5:84//filter target Mac
ETH . SRC eq a0:00:00:04:c5:84//filter source Mac
eth.dst==a0:00:00:04:c5:84
eth.dst==a0-00-00-04-c5-84
eth.addr eq A0:0 0:00:04:c5:84//filter source Mac and Target Mac are equal to a0:00:00:04:c5:84

less than smaller than < LT
less than equals le

equals eq
greater than GT
greater than or equal to GE
unequal ne

5. Package Length Filter
Example:
Udp.length = = 26 This length refers to the UDP itself fixed length 8 plus UDP The sum of the packet
Tcp.len >= 7 refers to IP packets (The block of data under TCP), not including TCP itself
Ip.len = = 94 In addition to the Ethernet head fixed length 14, the other is Ip.len, that is, from the IP itself to the last
Frame.len = = 119 entire packet length, starting from ETH to the last

ETH---> IP or arp---> TCP or UDP---> data

6. HTTP Mode filtering
Example:
Http.request.method = = "GET"
Http.request.method = = "POST"
Http.request.uri = = "/img/logo-edu.gif"
HTTP contains "GET"
HTTP contains "HTTP/1."

Get package
Http.request.method = = "GET" && http contains "Host:"
Http.request.method = = "GET" && http contains "User-agent:"
Post Package
Http.request.method = = "POST" && http contains "Host:"
Http.request.method = = "POST" && http contains "User-agent:"
Response Package
HTTP contains "http/1.1 OK" && http contains "Content-type:"
HTTP contains "http/1.0 OK" && http contains "Content-type:"
Must contain the following
Content-type:


7. TCP parameter Filtering
TCP.FLAGS Displays the packet that contains the TCP flag.
Tcp.flags.syn = = 0x02 Displays packets containing the TCP SYN flag.
Tcp.window_size = = 0 && Tcp.flags.reset! = 1

8. Filter content

TCP[20] means starting from 20, taking 1 characters
TCP[20:] means starting from 20, take 1 characters or more
Tcp[20:8] means starting from 20, taking 8 characters
Tcp[offset,n]

UDP[8:3]==81:60:03//Offset 8 bytes, and then 3 numbers, is it equal to the data behind = = =?
udp[8:1]==32 If I guess not wrong, it should be udp[offset: Intercept number]=nvalue
eth.addr[0:3]==00:06:5b

Example:
Determine if the first three packets below the upd are equal to 0x20 0x21 0x22
We all know that UDP has a fixed length of 8
Udp[8:3]==20:21:22

Determine whether the first three packets of TCP packets equals 0x20 0x21 0x22
TCP in general, the length is 20, but there are not 20 when
Tcp[8:3]==20:21:22
If you want to get the most accurate, you should first know the TCP length

Matches (match) and contains (contains a string) syntax
Ip.src==192.168.1.107 and Udp[8:5] matches "\\x02\\x12\\x21\\x00\\x22"
ip.src==192.168.1.107 and UDP contains 02:12:21:00:22
ip.src==192.168.1.107 and TCP contains "GET"
UDP contains 7c:7c:7d:7d matches UDP packets that contain 0x7c7c7d7d in payload, not necessarily from the first byte.

Example:
Get local QQ Login packet (judging condition is the first packet ==0x02, fourth and fifth packets equals 0x00x22, the last packet equals 0x03)
0x02 xx xx 0x00 0x22 ... 0x03
That's right
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff][\\x00-\\xff]\\x00\\x22[\\x00-\\xff]+\\x03$"
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x00\\x22[\\x00-\\xff]+\\x03$"//Landing Bag
Oicq and (udp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x03$" or tcp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x03$")
Oicq and (udp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x00\\x22[\\x00-\\xff]+\\x03$" or tcp[20:] matches "^\\x02[\\x00-\\ xff]{2}\\x00\\x22[\\x00-\\xff]+\\x03$ ")

Not only 00:22 QQ number, other packages also have, to meet the following conditions (TCP also has, but did not do):
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff]+\\x03$" and! (udp[11:2]==00:00) and! (udp[11:2]==00:80)
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff]+\\x03$" and! (udp[11:2]==00:00) and! (udp[15:4]==00:00:00:00)
Description
UDP[15:4]==00:00:00:00 indicates that QQ number is empty
UDP[11:2]==00:00 indicates that the command number is 00:00
UDP[11:2]==00:80 indicates that the command number is 00:80
When the command number is 00:80, the QQ number is 00:00:00:00

Get MSN Login Success account (the condition is "usr 7 ok", that is, the first three is equal to USR, and then through two 0x20, to Ok,ok behind is a character 0x20, followed by mail)
USR xx OK [email protected]
That's right
Msnms and TCP and ip.addr==192.168.1.107 and tcp[20:] matches "^usr\\x20[\\x30-\\x39]+\\x20ok\\x20[\\x00-\\xff]+"

9. DNS Mode filtering

Ten. DHCP
To look for a fake DHCP server, for example, describes the use of Wireshark. Add filter rules to the display filter,
Displays all information that is not from the DHCP server and bootp.type==0x02 (offer/ack):
BOOTP.TYPE==0X02 and not ip.src==192.168.1.1

One. MSN
Msnms && tcp[23:1] = = 20//Fourth one is 0x20 MSN packet
Msnms && tcp[20:1] >= && tcp[20:1] <= 5A && tcp[21:1] >=/tcp[21:1] <= 5 a && tcp[22:1] >= && tcp[22:1] <= 5A
Msnms && tcp[20:3]== "usr"//Find the command code is a data packet of USR
Msnms && tcp[20:3]== "MSG"//Find the command encoding is MSG packet
Tcp.port = = 1863 | | Tcp.port = = 80

How can I tell if a packet is an MSN packet that contains a command code?
1) port 1863 or 80, for example: Tcp.port = = 1863 | | Tcp.port = = 80
2) The first three of the data is capital letters, such as:
Tcp[20:1] >= && tcp[20:1] <= 5A && tcp[21:1] >= && tcp[21:1] <= 5A && TC P[22:1] >= && tcp[22:1] <= 5A
3) Fourth for 0x20, such as: tcp[23:1] = = 20
4) MSN is part of the TCP protocol, such as TCP

MSN Messenger Protocol Analysis
Http://blog.csdn.net/Hopping/archive/2008/11/13/3292257.aspx

MSN Protocol Analysis
Http://blog.csdn.net/lzyzuixin/archive/2009/03/13/3986597.aspx

A more detailed description
<<wireshark Filter Expression Example Introduction >>
http://www.csna.cn/viewthread.php?tid=14614

Wireshark the main interface of the Operation menu in English vs.
Http://www.csna.cn/viewthread.php?tid=9645&extra=page%3D1

Another good network analysis software
"Branch to network Analysis system"

Learn Ethereal/wireshark website
http://www.csna.cn/index.php

###########################################################################

1. Wireshark Basic Grammatical characters

Number of \d 0-9
\d \d complement (so that the word identifier complete, the same as the same), that is, all non-numeric characters
\w word character, refers to uppercase and lowercase letters, 0-9 digits, underscores
The complement of \w \w
\s whitespace characters, including line break \ n, carriage return \ r, tab \ T, vertical tab \v, page break \f
The complement of \s \s
. Any characters except the newline character \ n. In Perl, the "." Patterns that can match new line breaks are called "single-line mode"
. * Match any text, not including carriage return (\ n)?. And, [0x00-0xff]* matches any text, including \ n
[...] Match all the characters listed in []
[^ ...] Match characters that are not listed in []

----------------------------------------------------------------------------------------
2, the positioning character represents a virtual character, it represents a position, you can also intuitively think that "positioning character" represents a character and the small gap between characters.

^ indicates that subsequent characters must be at the beginning of the string
$ indicates that the preceding character must be at the end of the string
\b matches the boundary of a word
\b Matches a non-word boundary

----------------------------------------------------------------------------------------
3. Repeat description character

{n} matches the preceding character n times
{N,} matches the preceding character n times or more than n times
{n,m} matches the preceding characters n to M times
? Matches the preceding character 0 or 1 times
+ Match previous characters 1 or more 1 times
* match the preceding character 0 times or 0 times

----------------------------------------------------------------------------------------
4, and or match

and Symbol and
or symbol or
For example:
TCP and TCP.PORT==80
TCP or UDP

----------------------------------------------------------------------------------------
5. Wireshark filter Matching Expression instance

5.1, the search conditionally filter UDP data segment Payload (the number 8 is that the UDP header has 8 bytes, the data portion starts from the 9th Byte Udp[8:])
UDP[8]==14 (14 is hexadecimal 0x14) UDP packet matching payload first byte 0x14
Udp[8:2]==14:05 can be udp[8:2]==1405 and support only 2 bytes in succession, and more than three must use a colon: delimited to denote hexadecimal. (equivalent to udp[8]==14 and udp[9]==05,1405 is 0x1405)
Udp[8:3]==22:00:f7 but you can't udp[8:3]==2200f7.
UDP[8:4]==00:04:00:2A, matching the first 4 bytes of the payload 0x0004002a
UDP contains 7c:7c:7d:7d matches UDP packets containing 0x7c7c7d7d in payload, not necessarily from the first byte.
Udp[8:4] matches "\\x14\\x05\\x07\\x18"
Udp[8:] matches "^\\x14\\x05\\x07\\x18\\x14"

5.2, search conditionally filter TCP Data segment payload (the number 20 is that the TCP header has 20 bytes, the data portion starts from the 21st byte tcp[20:])
TCP[20:] matches "^get [-~]*http/1.1\\x0d\\x0a"
Equivalent to HTTP matches "^get [-~]*http/1.1\\x0d\\x0a"

TCP[20:] matches "^get (. *?) http/1.1\\x0d\\x0a "
TCP[20:] matches "^get (. *?) Http/1.1\\x0d\\x0a[\\x00-\\xff]*host: (. *?) PPLive (. *?) \\x0d\\x0a "
TCP[20:] matches "^get (. *?) Http/1.1\\x0d\\x0a[\\x00-\\xff]*host: "
TCP[20:] matches "^post/http/1.1\\x0d\\x0a[\\x00-\\xff]*\\x0d\\x0aconnection:keep-alive\\x0d\\x0a\\x0d\\x0a"

Detects SMB tokens for SMB headers, indicating that the SMB tag starts at the location of TCP header 24byte.
Tcp[24:4] = = ff:53:4d:42

The SMB token for the SMB header is detected, and the TCP data contains 16 binary ff:53:4d:42, which is searched from the TCP header.
TCP contains ff:53:4d:42
TCP matches "\\xff\\x53\\x4d\\x42"

Detects that TCP contains a hexadecimal 01:bd, starting from the TCP header to search for this data.
TCP matches "\\X01\\XBD"

Detecting RPC Request paths for MS08067
TCP[179:13] = = 00:5c:00:2e:00:2e:00:5c:00:2e:00:2e:00
\      .     .     \     . .
5.3. Other
Http.request.uri matches ". gif$" matches the request URI that filters http with a ". gif" string and an HTTP request packet that ends with a. gif (4 bytes) ($ is the end-of-expression in regular expressions)
Note the difference: Http.request.uri contains ". gif$" differs from this, contains is the containing string ". gif$" (5 bytes). HTTP request packet with ". gif$" string in the request URI that matches the filter HTTP (here $ is a character, not a trailing symbol)

ETH.ADDR[0:3]==00:1E:4F Search Filters The first 3 bytes of the MAC address are 0x001e4f packets.

Finish

WireShark network packet filtering