Wireshark Series of Wireshark filters

Source: Internet
Author: User
Tags snmp

One: Filter
    1. Using the Wireshark tool to grab a package, if you use the default configuration, you get a lot of data, so it's hard to find the packet data we're analyzing. So using Wireshark filters is especially important.
    2. Wireshark filters are divided into two types: Display filter, capture filter
    3. If the filtered syntax is correct, the green is displayed, and the syntax error shows red.
    4. Shows the difference between a filter and a capture filter. The capture filter is the first layer of Wireshark filter, which determines which packets are captured and which packets are discarded; The display filter is the second-level filter of Wireshark, and he only displays packet information that conforms to the rules on the basis of the capture filter.
Two: Display filter

A) Introduction

      1. The display filter is the second layer of the Wireshark filter (the first layer is the capture filter) and he can quickly filter out the packet data we need.

II) display the syntax of the filter

      1. comparison operator: = =,! =, <, >, >=, =
      2. logical operator: and, or, not (no condition satisfied), XOR (with only one condition met)
      3. ip Address: ip.addr (source IP address or destination IP address), IP.SRC (source IP address limit), IP.DST (destination IP address limit)
      4. protocol filtering: ARP, IP, ICMP, UDP, TCP, BOOTP, DNS
      5. note : When the filter input is displayed, it will not take effect until you press ENTER. There is a delay in applying a filter display to a large file.

III) display the inlet of the filter

1. Manual Input

    

2. Bookmark Manager

    

    3. Enter from the Analysis toolbar

    

4. Package details Select a protocol and then right-click

    

Four) raise a chestnut

      1. display packets for SNMP or DNS or ICMP protocol SNMP | | DNS | | ICMP
      2. Show packets with source or destination address 10.1.1.1 ip.addr = = 10.1.1.1
      3. show packets that are not 10.1.2.3 by source and target not 10.4.5.6 ip.src! = 10.1.2.3 or Ip.src! = 10.4.5.6
      4. show the source or packet with destination port 25 Tcp.port = =
      5. Display the destination TCP port is 25 packets Tcp.dstport = =
      6. show packets containing the TCP flag tcp.flags
      7. display source IP is 10.1.2.3 Packet with destination address 10.4.5.6 ip.src = = 10.1.2.3 and IP.DST = = 10.4.5.6
Three: Capture Filter

a) role

      1. Used to determine what information records are displayed in the capture results. Note : You need to set before starting capture.
      2. Set Capture Filter

II) capture Filter syntax

Filter format: Protocol direction host Port (Host/port/portrange)
1. Protocol: Possible HTTP, HTTPS, FTP, UDP, TCP, IPv4, IPv6, ARP, ICMP and other protocols. If no particular protocol is stated, all supported protocols are used by default.
2. Direction: Possible values SRC, DST, src and DST, src or DST default src or DST
3. Host (s): Possible values NET, port, host, portrange default host
4. Logical operation (logical operation): Not and Or does have the highest priority, and or is the same priority, operation left-to-right

III) Set capture filter

    1. Use the Capture toolbar to set

    

2. Manual input

    

Four) give me a chestnut.

      1. Display IP protocol, packet ip src host 10.1.1.1
      2. display IP protocol, source destination IP 10.1.1.1 packet IP host 10.1.1.1
      3. shows the source UDP,TCP protocol, and the port number in 2000-5000 of the packet src portrange 2000-5000
      4. Li> show IMCP all packets not IMCP

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.