One: Filter
- Using the Wireshark tool to grab a package, if you use the default configuration, you get a lot of data, so it's hard to find the packet data we're analyzing. So using Wireshark filters is especially important.
- Wireshark filters are divided into two types: Display filter, capture filter
- If the filtered syntax is correct, the green is displayed, and the syntax error shows red.
- Shows the difference between a filter and a capture filter. The capture filter is the first layer of Wireshark filter, which determines which packets are captured and which packets are discarded; The display filter is the second-level filter of Wireshark, and he only displays packet information that conforms to the rules on the basis of the capture filter.
Two: Display filter
A) Introduction
-
- The display filter is the second layer of the Wireshark filter (the first layer is the capture filter) and he can quickly filter out the packet data we need.
II) display the syntax of the filter
-
- comparison operator: = =,! =, <, >, >=, =
- logical operator: and, or, not (no condition satisfied), XOR (with only one condition met)
- ip Address: ip.addr (source IP address or destination IP address), IP.SRC (source IP address limit), IP.DST (destination IP address limit)
- protocol filtering: ARP, IP, ICMP, UDP, TCP, BOOTP, DNS
- note : When the filter input is displayed, it will not take effect until you press ENTER. There is a delay in applying a filter display to a large file.
III) display the inlet of the filter
1. Manual Input
2. Bookmark Manager
3. Enter from the Analysis toolbar
4. Package details Select a protocol and then right-click
Four) raise a chestnut
-
- display packets for SNMP or DNS or ICMP protocol SNMP | | DNS | | ICMP
- Show packets with source or destination address 10.1.1.1 ip.addr = = 10.1.1.1
- show packets that are not 10.1.2.3 by source and target not 10.4.5.6 ip.src! = 10.1.2.3 or Ip.src! = 10.4.5.6
- show the source or packet with destination port 25 Tcp.port = =
- Display the destination TCP port is 25 packets Tcp.dstport = =
- show packets containing the TCP flag tcp.flags
- display source IP is 10.1.2.3 Packet with destination address 10.4.5.6 ip.src = = 10.1.2.3 and IP.DST = = 10.4.5.6
Three: Capture Filter
a) role
-
- Used to determine what information records are displayed in the capture results. Note : You need to set before starting capture.
- Set Capture Filter
II) capture Filter syntax
Filter format: Protocol direction host Port (Host/port/portrange)
1. Protocol: Possible HTTP, HTTPS, FTP, UDP, TCP, IPv4, IPv6, ARP, ICMP and other protocols. If no particular protocol is stated, all supported protocols are used by default.
2. Direction: Possible values SRC, DST, src and DST, src or DST default src or DST
3. Host (s): Possible values NET, port, host, portrange default host
4. Logical operation (logical operation): Not and Or does have the highest priority, and or is the same priority, operation left-to-right
III) Set capture filter
1. Use the Capture toolbar to set
2. Manual input
Four) give me a chestnut.
-
-
- Display IP protocol, packet ip src host 10.1.1.1
- display IP protocol, source destination IP 10.1.1.1 packet IP host 10.1.1.1
- shows the source UDP,TCP protocol, and the port number in 2000-5000 of the packet src portrange 2000-5000
Li> show IMCP all packets not IMCP