The grab kit Wireshark is divided into two types of filters:
Capture Filter (Capturefilters)
Display Filter (displayfilters)
Catch filter Syntax:
Protocol Direction Host Value logicaloperations otherexpression
TCP DST 10.1.1.1 and TCP DST 10.2.2.2 3128
Protocol possible values: ether, FDDI, IP, ARP, DECnet, lat, SCA, MOPRC, TCP and UDP, all by default
Direction possible values: SRC, DST, src and DST, src or DST, using SRC or DST by default
The possible values for host are: NET, port, host, Portrange, and host is used by default.
Example: Src 10.1.1.1 is the same as SRC host 10.1.1.1
Logicaloperations Possible values: not, and, or
Display Filter Syntax:
Protocol.String1.String2 comparisonoperator Value Logicaloperation otherexpression
Ftp.passsive.ip = = 10.2.2.2 xor Icpm.type
Comparisonoperator Possible values: = =,! =, >, <, >=, <=
Logicaloperation possible values: and &&, or |, XOR ^^, not!
Example: snmp| | dns| | ICMP//display SNMP or DNS or ICPM packets
IP.ADDR = = 10.1.1.1//Display the package from which the source or destination IP is 10.1.1.1
Ip.src! = 10.1.1.1 or ip.dst!=10.2.2.2//displays the package from which the source is not 10.1.1.1 or the purpose is not 10.2.2.2.
Tcp.port = = 25//packet with TCP port 25 for source or destination
Tcp.dstport ==25
Tcp.flags//Display package with TCP flag
Tcp.flags.syn = = 0x02//display packet containing the TCP SYN flag
This machine both as a client and as a service side, need to set up to let Wireshark catch data:
1. The administrator runs cmd
2. Route Add native IP mask 255.255.255.255 gateway IP
Grab Bag Tool Wireshark filter