We often catch a lot of data in Wireshark, and then we need to filter the filter to select the packets we care about.
The Wireshark provides two types of filters:
Capture Filter: Set the filter condition before grabbing the packet, and then crawl only the qualifying packets.
Display filters: Sets the filter condition in the captured packet collection, hides the packets that you do not want to display, and displays only the eligible packets.
It is important to note that the syntax used by the two filters is completely different and the capture filter is described in this post.
The main reason for using capture filters is performance. If you know that you don't need to analyze a type of traffic, you can simply filter it out with a capture filter, saving the processor resources that will be used to capture those packets. The use of capture filters is quite handy when working with large amounts of data.
The initial interface of the new Wireshark is very concise, providing two main features: first set up the capture filter, and then select the NIC that is responsible for grabbing the packet. This shows the importance of capturing filters.
For example, we want to crawl only the communication with the 80 port, then we can set the filter rule "Port 80".
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http ://s3.51cto.com/wyfs02/m02/79/95/wkiom1avlykjh5xhaactidicu2c419.png "height=" 228 "/>
The capture filter applies to WinPcap and uses the Berkeley Packet Filter (BPF) syntax, which has the following syntax rules:
Protocol direction type Data |
protocol, possible values: Ether, IP, ARP, TCP, UDP, HTTP, ftp ..., if no particular protocol is specified, all supported protocols are used by default.
direction, possible values: SRC, DST, if no particular source or destination is specified, use "src or DST" as the keyword by default. For example, "host 10.2.2.2" is the same as "src or DST host 10.2.2.2".
Type, possible values: NET, port, host, if this value is not specified, the "host" keyword is used by default. For example, "src 10.1.1.1" is the same as "src host 10.1.1.1".
We can also use the following three logical operators to combine expressions to create more advanced expressions.
Logic and && , logical OR | | , logical not! |
For example, the following expression captures only packets where the source address is 192.168.0.10 and the source port or destination port is 80.
SRC 192.168.0.10 && Port 80 |
Application examples
If we want to crawl a particular host or device's packet, then you can set the filtering rules based on the device's IP address or MAC address.
For example, only packets with IP address 192.168.0.10 are crawled.
If you consider that the IP address of the host may change, you can specify the MAC address to filter.
Ether Host 00-50-56-c0-00-01 |
You can also filter according to the flow of data:
src host 192.168.0.10// from 192.168.0.10 sent packets DST host 192.168.0.10// sent to 192.168.0.10 The data package ether src host 00-50-56-c0-00-01// from 00-50-56-c0-00-01 sent packets ether DST host 00-50-56-c0-00-01// sent to 00-50-56-c0-00-01 The data package |
It is important to note that host is the default option in an expression, so the above expressions, whether or not prefixed with host, express the same meaning.
Again, for example, through a port filter:
port 8080// capture only 8080 traffic to the port !port 8080// capture 8080 all traffic on the port DST Port 8080// capture only to 8080 traffic to the port |
To filter by protocol or by means of communication:
ICMP// only ICMP is captured Flow Rate !broadcast// do not crawl broadcast packets |
This article from "a pot of turbid wine" blog, reproduced please contact the author!
Wireshark Series 4 Capture Filter