Grab Bag Tool Wireshark filter

The grab kit Wireshark is divided into two types of filters:

Capture Filter (Capturefilters)

Display Filter (displayfilters)

Catch filter Syntax:

Protocol Direction Host Value logicaloperations otherexpression

TCP DST 10.1.1.1 and TCP DST 10.2.2.2 3128

Protocol possible values: ether, FDDI, IP, ARP, DECnet, lat, SCA, MOPRC, TCP and UDP, all by default

Direction possible values: SRC, DST, src and DST, src or DST, using SRC or DST by default

The possible values for host are: NET, port, host, Portrange, and host is used by default.

Example: Src 10.1.1.1 is the same as SRC host 10.1.1.1

Logicaloperations Possible values: not, and, or

Display Filter Syntax:

Protocol.String1.String2 comparisonoperator Value Logicaloperation otherexpression

Ftp.passsive.ip = = 10.2.2.2 xor Icpm.type

Comparisonoperator Possible values: = =,! =, >, <, >=, <=

Logicaloperation possible values: and &&, or |, XOR ^^, not!

Example: snmp| | dns| | ICMP//display SNMP or DNS or ICPM packets

IP.ADDR = = 10.1.1.1//Display the package from which the source or destination IP is 10.1.1.1

Ip.src! = 10.1.1.1 or ip.dst!=10.2.2.2//displays the package from which the source is not 10.1.1.1 or the purpose is not 10.2.2.2.

Tcp.port = = 25//packet with TCP port 25 for source or destination

Tcp.dstport ==25

Tcp.flags//Display package with TCP flag

Tcp.flags.syn = = 0x02//display packet containing the TCP SYN flag

This machine both as a client and as a service side, need to set up to let Wireshark catch data:

1. The administrator runs cmd

2. Route Add native IP mask 255.255.255.255 gateway IP

Grab Bag Tool Wireshark filter