Wireshark filtering syntax
1. Filter IP, such as source IP or destination IP equals an IP
Example:
IP.SRC eq 192.168.1.107 or IP.DST eq 192.168.1.107
Or
IP.ADDR eq 192.168.1.107//can display source IP and destination IP
2. Filter Port
Example:
Tcp.port EQ 80//Whether the port is source or target is displayed
Tcp.port = = 80
Tcp.port eq 2722
Tcp.port eq or udp.port eq 80
Tcp.dstport = = 80//target port 80 for TCP protocol only
Tcp.srcport = = 80//Explicit TCP protocol Source port 80
Udp.port eq 15000
Filter Port range
Tcp.port >= 1 and Tcp.port <= 80
3. Filtering Protocol
Example:
Tcp
Udp
Arp
Icmp
http
Smtp
Ftp
Dns
Msnms
Ip
Ssl
Oicq
BootP
And so on
Exclude ARP packets, such as!arp or not ARP
4. Filter Mac
Filter too with mesh head
ETH.DST = = a0:00:00:04:c5:84//filter Target Mac
ETH.SRC eq a0:00:00:04:c5:84//filter Source Mac
eth.dst==a0:00:00:04:c5:84
eth.dst==a0-00-00-04-c5-84
ETH.ADDR eq a0:00:00:04:c5:84//filter source Mac and Target Mac are equal to a0:00:00:04:c5:84
Less than smaller than < LT
Less than or equal to Le
equals EQ
Greater than GT
Greater than or equal to GE
Unequal NE
5. Package Length Filter
Example:
Udp.length = = 26 This length refers to the UDP itself fixed length 8 plus UDP The sum of the packet
Tcp.len >= 7 refers to IP packets (The block of data under TCP), not including TCP itself
Ip.len = = 94 In addition to the Ethernet head fixed length 14, the other is Ip.len, that is, from the IP itself to the last
Frame.len = = 119 entire packet length, starting from ETH to the last
ETH---> IP or arp---> TCP or UDP---> da
Ta
6.http Mode filtering
Example:
Http.request.method = = "GET"
Http.request.method = = "POST"
Http.request.uri = = "/img/logo-edu.gif"
HTTP contains "GET"
HTTP contains "HTTP/1."
Get package
Http.request.method = = "GET" && http contains "Host:"
Http.request.method = = "GET" && http contains "User-agent:"
Post Package
Http.request.method = = "POST" && http contains "Host:"
Http.request.method = = "POST" && http contains "User-agent:"
Response Package
HTTP contains "http/1.1 OK" && http contains "Content-type:"
HTTP contains "http/1.0 OK" && http contains "Content-type:"
Must contain the following
Content-type:
7.TCP Parametric filtering
TCP.FLAGS Displays the packet that contains the TCP flag.
Tcp.flags.syn = = 0x02 Displays packets containing the TCP SYN flag.
Tcp.window_size = = 0 && Tcp.flags.reset! = 1
8. Filter content
TCP[20] means starting from 20, taking 1 characters
TCP[20:] means starting from 20, take 1 characters or more
Tcp[20:8] means starting from 20, taking 8 characters
Tcp[offset,n]
UDP[8:3]==81:60:03//Offset 8 bytes, and then 3 numbers, is it equal to the data behind = = =?
udp[8:1]==32 If I guess not wrong, it should be udp[offset: Intercept number]=nvalue
eth.addr[0:3]==00:06:5b
Example
Determine if the first three packets below the upd are equal to 0x20 0x21 0x22
We all know that UDP has a fixed length of 8
Udp[8:3]==20:21:22
Determine whether the first three packets of TCP packets equals 0x20 0x21 0x22
TCP in general, the length is 20, but there are not 20 when
Tcp[8:3]==20:21:22
If you want to get the most accurate, you should first know the TCP length
Matches (match) and contains (contains a string) syntax
Ip.src==192.168.1.107 and Udp[8:5] matches "\\x02\\x12\\x21\\x00\\x22"
ip.src==192.168.1.107 and UDP contains 02:12:21:00:22
ip.src==192.168.1.107 and TCP contains "GET"
UDP contains 7c:7c:7d:7d matches UDP packets that contain 0x7c7c7d7d in payload, not necessarily from the first byte.
Example:
Get local QQ Login packet (judging condition is the first packet ==0x02, fourth and fifth packets equals 0x00x22, the last packet equals 0x03)
0x02 xx xx 0x00 0x22 ... 0x03
That's right
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff][\\x00-\\xff]\\x00\\x22[\\x00-\\xff]+\\x03$"
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x00\\x22[\\x00-\\xff]+\\x03$"//Landing Bag
Oicq and (udp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x03$" or tcp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x03$")
Oicq and (udp[8:] matches "^\\x02[\\x00-\\xff]{2}\\x00\\x22[\\x00-\\xff]+\\x03$" or tcp[20:] matches "^\\x02[\\x00-\\ xff]{2}\\x00\\x22[\\x00-\\xff]+\\x03$ ")
Not only 00:22 QQ number, other packages also have, to meet the following conditions (TCP also has, but did not do):
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff]+\\x03$" and! (udp[11:2]==00:00) and! (udp[11:2]==00:80)
Oicq and Udp[8:] matches "^\\x02[\\x00-\\xff]+\\x03$" and! (udp[11:2]==00:00) and! (udp[15:4]==00:00:00:00)
Description
UDP[15:4]==00:00:00:00 indicates that QQ number is empty
UDP[11:2]==00:00 indicates that the command number is 00:00
UDP[11:2]==00:80 indicates that the command number is 00:80
When the command number is 00:80, the QQ number is 00:00:00:00
Get MSN Login Success account (the condition is "usr 7 ok", that is, the first three is equal to USR, and then through two 0x20, to Ok,ok behind is a character 0x20, followed by mail)
USR xx OK [email protected]
That's right
Msnms and TCP and ip.addr==192.168.1.107 and tcp[20:] matches "^usr\\x20[\\x30-\\x39]+\\x20ok\\x20[\\x00-\\xff]+"
9.dns Mode filtering
10.DHCP
To look for a fake DHCP server, for example, describes the use of Wireshark. Add filter rules to the display filter,
Displays all information that is not from the DHCP server and bootp.type==0x02 (offer/ack):
BOOTP.TYPE==0X02 and not ip.src==192.168.1.1
11.msn
Msnms && tcp[23:1] = = 20//Fourth one is 0x20 MSN packet
Msnms && tcp[20:1] >= && tcp[20:1] <= 5A && tcp[21:1] >=/tcp[21:1] <= 5 a && tcp[22:1] >= && tcp[22:1] <= 5A
Msnms && tcp[20:3]== "usr"//Find the command code is a data packet of USR
Msnms && tcp[20:3]== "MSG"//Find the command encoding is MSG packet
Tcp.port = = 1863 | | Tcp.port = = 80
How can I tell if a packet is an MSN packet that contains a command code?
1) port 1863 or 80, for example: Tcp.port = = 1863 | | Tcp.port = = 80
2) The first three of the data is capital letters, such as:
Tcp[20:1] >= && tcp[20:1] <= 5A && tcp[21:1] >= && tcp[21:1] <= 5A && TC P[22:1] >= && tcp[22:1] <= 5A
3) Fourth for 0x20, such as: tcp[23:1] = = 20
4) MSN is part of the TCP protocol, such as TCP
MSN Messenger Protocol Analysis
Http://blog.csdn.net/Hopping/archive/2008/11/13/3292257.aspx
MSN Protocol Analysis
Http://blog.csdn.net/lzyzuixin/archive/2009/03/13/3986597.aspx
A more detailed description
<<wireshark Filter Expression Example Introduction >>
http://www.csna.cn/viewthread.php?tid=14614
"Go" wireshark filter rules
