Wireshark Filter Rule usage
First, MacAddress filtering
Command summary:
Eth.addr==20:dc:e6:f3:78:cc
Eth.src==20:dc:e6:f3:78:cc
Eth.dst==20:dc:e6:f3:78:cc
1, filter according to the MAC address
use command:ETH.ADDR==20:DC:E6:F3:78:CC
Command Commentary: Filter out The Mac address is a packet of 20:DC:E6:F3:78:CC , including the source Mac address or destination mac address used by 20:DC:E6:F3:78:CC All the packets.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7F/6C/wKiom1cd7HGDVuiSAAFlRge7ov4357.gif "title=" 1.gif " alt= "Wkiom1cd7hgdvuisaaflrge7ov4357.gif"/>
2 , based on the source MAC Address filtering
use command:ETH.SRC==20:DC:E6:F3:78:CC
Command Commentary: Filter out Source MAC address is a packet of 20:DC:E6:F3:78:CC
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7F/6C/wKiom1cd7NPCQy9SAAGAhuK34VY789.gif "title=" 2.gif " alt= "Wkiom1cd7npcqy9saagahuk34vy789.gif"/>
3 , based on the purpose of MAC Address filtering
use command:ETH.DST==20:DC:E6:F3:78:CC
Command Commentary: Filter out the purpose The MAC address is a 20:dc:e6:f3:78:cc packet .
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7F/6A/wKioL1cd7cDQ1PuPAAFRC5G_tOo369.gif "title=" 3.gif " alt= "Wkiol1cd7cdq1pupaafrc5g_too369.gif"/>
Second, IpAddress filtering
ip.addr==192.168.1.122//Filter by IP address, including source IP or destination IP
ip.src==192.168.1.122//filtering based on source IP address
ip.dst==192.168.1.122//filter by Destination IP address
1 , based on IP Address to filter
use command:ip.addr==192.168.1.122
Command Commentary: Filter out The IP address is a packet of 192.168.1.122 , including the source IP address or the destination IP address using all of the 192.168.1.122 packets .
2 , based on the source IP Address filtering
use command:ip.src==182.254.110.91
Command Commentary: Filter out Source IP address is a packet of 182.254.110.91
3 , according to the destination IP Address filtering
use command:ip.dst==192.168.1.122
Command Explanation: Filter out the destination address is a 192.168.1.122 packet .
1 Port Filtering
port filtering. such as filter port, in the filter input,tcp.port==80, this rule is the source port and destination port is filtered out. Use tcp.dstport==80 only to filter the destination port to a ,tcp.srcport==80 only filter the source port is the package;
TCP.PORT==80//filter packets based on TCP port, including source port or destination port
TCP.DSTPORT==80//filter packets based on the destination TCP port.
TCP.SRCPORT==80//filter packets based on the source TCP port.
UDP.PORT==4010//filter packets based on UDP port, including source port or destination port
UDP.SRCPORT==4010//filter packets based on the source UDP port.
UDP.DSTPORT==4010//filter packets based on the destination UDP port.
1 , filtering TCP Port
use command:tcp.port==80
Command Commentary: Filter out a TCP port is a packet of communication, including a packet of source ports that use TCP, or the destination port , which uses a port on the network.
2 , filtering destination port packets
use command:tcp.dstport==80
Command Commentary: Filter out the destination port using the Packets for TCP communication
3 , filtering source port packets
use command:tcp.srcport==80
Command Explanation: Filter out the source port is a TCP Port-based packet.
1 protocol Filtering
filter packets based on communication protocols, such as http protocol,FTP protocol, etc. Common protocols include the following:
Udp
Tcp
Arp
Icmp
Smtp
Pop
Dns
Ip
Ssl
http
Ftp
Telnet
Ssh
Rdp
Rip
Ospf
1 , filter out http Protocol Data Packets
protocol filtering is relatively straightforward and can be entered directly into the filtering window (filter). For example, filter out the HTTP protocol data such as:
Note: In the Protocol filtering, the protocol name must be written in lowercase, otherwise it will be wrong.
2 , filter out http the GET Data Package
use command:http.request.method==get
Command Explanation: Filter out the HTTP protocol using get mode packets. Note GET must be written in uppercase, otherwise the filter will not come out.
3 and filter out the post packets for HTTP.
use command : http.request.method==post
Command Explanation: Filter out The post mode using the HTTP protocol Packet , note that post parameters must be written in uppercase, otherwise filtering data.
1 Logical Condition combination filter
Summary of Logical Expressions:
|| Logical OR
&&// logic and
! Logical Non-
1 , logic and screening methods
use command:ip.src==192.168.1.122&&ip.dst==121.114.244.119
Command Explanation: Filter out the source IP address is 192.168.1.122 and the destination address is 121.114.244.119 packet . You can also use parentheses for inclusion, and the above command can also be equivalent to the following command
(ip.src==192.168.1.122)&&(ip.dst==121.114.244.119)
2 , logical, or filter
use command:ip.src==192.168.1.122| | ip.src==182.254.110.91
Command Commentary: Filter out Source The IP address is 192.168.1.122 or the source IP address is a 182.254.110.91 packet
3 , logical non-filtering
use command:! (ip.addr==192.168.1.122)
Command Commentary: Filter out packets that are not 192.168.1.122.
This article is from "Eagle a" blog, please make sure to keep this source http://laoyinga.blog.51cto.com/11487316/1767613
Wireshark Grab Bag Tool Common filter command method