I. IP address filtering: the source IP address or target IP address is equal to an IP address.
For example, IP. src addr = 192.168.0.208 or IP. src addr eq 192.168.0.208 displays the source IP address.
IP. dst ADDR = 192.168.0.208 or IP. dst addr eq 192.168.0.208 display target IP Address
Ii. Port Filtering:
For example, TCP. Port EQ 80 // both the source and target ports are displayed.
TCP. Port = 80
TCP. Port EQ 2722
TCP. Port EQ 80 or UDP. Port EQ 80
TCP. dstport = 80 // display only the target port 80 of the TCP protocol
TCP. srcport = 80 // only display the source port 80 of the TCP protocol
Filter port range
TCP. Port> = 1 and TCP. Port <= 80
Iii. protocol filtering: TCP
UDP
ARP
ICMP
HTTP
SMTP
FTP
DNS
Msnms
IP
SSL
And so on.
Exclude SSL packages, such! SSL or not SSL
Iv. Package Length Filtering:
For example:
UDP. Length = 26 This length refers to the fixed length of UDP itself 8 plus the sum of the packets under UDP
TCP. Len> = 7 refers to the IP packet (the piece of data below TCP), excluding the TCP itself
IP. Len = 94 except for the fixed length 14 of the Ethernet header, all others are IP. Len, that is, from the IP address itself to the last
Frame. Len = 119 the length of the entire packet, starting from ETH to the end
5. http mode filtering:
Example:
HTTP. Request. Method = "get"
HTTP. Request. Method = "Post"
HTTP. Request. uri = '/img/logo-edu.gif"
HTTP contains "get"
HTTP contains "HTTP/1 ."
// Get package
HTTP. Request. Method = "get" & HTTP contains "Host :"
HTTP. Request. Method = "get" & HTTP contains "User-Agent :"
// Post package
HTTP. Request. Method = "Post" & HTTP contains "Host :"
HTTP. Request. Method = "Post" & HTTP contains "User-Agent :"
// Response package
HTTP contains "HTTP/1.1 200 OK" & HTTP contains "Content-Type :"
HTTP contains "HTTP/1.0 200 OK" & HTTP contains "Content-Type :"
Must include the following
Content-Type:
6. connector and/or
7. expression :! (Arp. src = 192.168.1.1) and! (ARP. dst. proto_ipv4 = 192.168.1.243)