One-stop learning Wireshark (eight): Apply Wireshark filter conditions to crawl specific data streams

Source: Internet
Author: User
Tags ack

Select capture by applying packet-capture filtering | Options, expand the window to view the Capture Filter Bar. Double-click the selected interface, as shown, to eject the Edit Interface settints window.

The Edit Interface Settings window is displayed, where you can set the packet capture filter condition. If you know the syntax for catching packet filters, enter it directly in the capture filter area. When an error is entered, the Wireshark indicates that the filter condition cannot be processed by a red background area. Most likely, the filter condition contains an input error, or the syntax of the display filter is used.

Click the Capture Filter button to view and select the saved capture filter.

More information

Crawl specified Data flow for IP address:

If there are many hosts in your capture environment that are communicating, consider using the IP address of the host you are observing to filter. The following is an example of an IP address capture packet filter:

    • Host 10.3.1.1: Crawl data streams sent to/from 10.3.1.1
    • Host 2406:da00:ff00::6b16:f02d: Fetching data streams sent to/from IPV6 address 2406:da00:ff00::6b16:f02d
    • Not host 10.3.1.1: Crawl all data streams except outgoing/from 10.3.1.1
    • SRC host 10.3.1.1: Fetching data streams from 10.3.1.1
    • DST host 10.3.1.1: Fetching data streams sent to 10.3.1.1
    • Host 10.3.1.1 or 10.3.1.2: Crawl sends to/from 10.3.1.1, and all traffic with it, with 10.3.1.2, and all traffic with it
    • Host www.espn.com: Fetches data streams sent to/from all IP addresses resolved to www.espn.com

Crawl specified Data flow for IP address ranges:

When you need to crawl data streams from/to a set of addresses, you can use CIDR (Classless Inter-domain routing, Classless interdomain Routing) format or using the Mask parameter.

    • NET 10.3.0.0/16: Crawl network 10.3.0.0 traffic to/from all hosts (16 for length)
    • NET 10.3.0.0 mask 255.255.0.0: Same as previous filter results
    • IP6 net 2406:DA00:FF00::/64: Crawling traffic to/from all hosts on the network 2406:da00:ff00:0000 (IPV6)
    • Not DST net 10.3.0.0/16: fetches all data streams except for IP addresses that begin with 10.3
    • Not src net 10.3.0.0/16: fetches all data streams except for IP addresses starting with 10.3
    • IP proto <protocol Code>: Fetches the IP Protocol field equal to the <protocol code> value of the message. such as TCP (code 6), UDP (code), ICMP (code 1).
    • IP[2:2]==<NUMBER>:IP message size
    • Ip[8]==<number>:ttl (Time to Live) value
    • Ip[9]==<number>: Protocol value
    • ICMP[ICMPTYPE]==<IDENTIFIER>: Fetches ICMP code equal to identifier ICMP messages, such as Icmp-echo and Icmp-request.

The first number in square brackets represents the offset from the beginning of the protocol header, and the second number indicates how many bits need to be observed.

crawl a stream of data sent to a broadcast or multicast address :

By listening to broadcast or multicast traffic, you can master much of the information on a host network.

    • IP broadcast: Capturing broadcast messages
    • IP Multicast: Fetching multi-broadcast text
    • DST host Ff02::1: fetching traffic to all hosts on IPV6 multicast address
    • DST host Ff02::2: fetching traffic to IPV6 multicast address for all routers

Tips:

The Wireshark contains some default packet-capture filtering conditions. Click Edit Capture Filterson the main toolbar to jump to the saved capture filter list. You will find some examples of common packet capture filtering.

Crawl based on data flow for MAC address:

When you need to crawl IPv4 or IPV6 traffic sent to/from a host, you can create a packet capture filter based on the host MAC address.

When applying a MAC address, be sure to be in the same network segment as the target host.

    • Ether host 00:08:15:00:08:15: Fetching data streams sent to/from 00:08:15:00:08:15
    • Ether src 02:0A:42:23:41:AC: Fetching data streams from 02:0A:42:23:41:AC
    • Ether DST 02:0A:42:23:41:AC: Fetching data streams sent to 02:0a:42:23:41:ac
    • Not ether host 00:08:15:00:08:15: Fetches all data streams except outgoing/from 00:08:15:00:08:15
    • Ether broadcast or ether DST FF:FF:FF:FF:FF:FF: Capturing broadcast messages
    • Ether Multicast: Multi-broadcast text
    • Fetching messages for the specified Ethernet type: Ether Proto 0800
    • Grab the specified Vlan:vlan <vlan number>
    • FETCH specifies several Vlan:vlan <vlan number> and VLAN <vlan number>

fetching data streams based on the specified application :

You might want to see the data flow based on one or several apps. The Catch packet filter syntax does not recognize the app name, so you need to define the app based on the port number. Filter out irrelevant messages by the TCP or UDP port number of the target application.

    • Port 53: Crawl UDP/TCP traffic sent to/from port 53 (typically DNS data flow)
    • Not port 53: fetching UDP/TCP traffic except for/from Port 53
    • Port 80: Crawl UDP/TCP traffic sent to/from Port 80 (typically HTTP data stream)
    • UDP port 67: Fetches UDP traffic sent to/from port 67 (typically DHCP data stream)
    • TCP port 21: Crawl TCP traffic sent to/from Port 21 (typically FTP command channel)
    • Portrange 1-80: Crawl all UDP/TCP traffic sent to/from Port 1-80
    • TCP Portrange 1-80: Crawl all TCP traffic sent to/from Port 1-80

fetching data streams on a combined port :

When you need to crawl a stream of multiple discontinuous port numbers, connect them with logical symbols, as shown in:

    • Port 21: Crawl The UDP/TCP traffic sent to/from Port 20 or 21 (typically FTP data and command ports)
    • Host 10.3.1.1 and Port 80: fetching data streams to/from 10.3.1.1 Port 80
    • Host 10.3.1.1 and not port 80: Crawl Send to/from 10.3.1.1 data stream other than port 80
    • UDP src port and UDP DST Port 67: Crawl all UDP traffic from Port 68 to port 67 (typically from a DHCP client to a DHCP server)
    • UDP src port, and UDP DST Port 68: Fetches all UDP traffic from port 67 to port 68 (typically from a DHCP server to a DHCP client)
    • Crawl Start (SYN) and end (FIN) messages for TCP connections, configure Tcp[tcpflags] & (Tcp-syn|tcp-fin)!=0
    • Crawl all RST (RESET) flag bits 1 TCP messages, configure Tcp[tcpflags] & (Tcp-rst)!=0
    • Less <length>: Captures messages smaller than or equal to a certain length, equivalent to Len <=<length>
    • Greater <length>: captures messages greater than or equal to a certain length, equivalent to Len >=<length>

SYN: The signal of the resume connection

FIN: Signal to close the connection

ACK: confirms the signal receiving the data

RST: Immediately closes the connected signal

PSH: Push signals to turn data into application processing as soon as possible

    • TCP[13] & 0x00 = 0:no flags set (NULL scan)
    • TCP[13] & 0x01 = 1:fin set and ACK not set
    • TCP[13] & 0x03 = 3:syn Set and FIN set
    • TCP[13] & 0x05 = 5:rst Set and FIN set
    • TCP[13] & 0x06 = 6:syn Set and RST set
    • TCP[13] & 0x08 = 8:psh set and ACK not set

TCP[13] is the offset from the beginning of the protocol header, 0,1,3,5,6,8 is the identity bit

try to avoid the use of packet capture filtering. It's better to look at a few more messages than to miss a message. When you crawl a large number of messages, use a display filter (and more filtering options) to focus on a particular data stream.

Tips:

If you need to view an ASCII string in a TCP frame, use Wireshark string-matching Capture Filter Generator (http://www.wireshark.org/tools/ string-cf.html). For example, to crawl an HTTP GET message, enter get and set the TCP offset to 0.

One-stop learning Wireshark (eight): Apply Wireshark filter conditions to crawl specific data streams

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.