"HTTP" Wireshark filtering rules

Reference: http://jingyan.baidu.com/article/454316ab593170f7a6c03a60.html

Statement features: protocol. Properties

First, IP filtering:

Include source IP or destination IP equals an IP such as:

IP.SRC eq 192.168.10.130
Ip.src addr eq 192.168.0.208 Source IP       ip.dst addr==192.168.0.208
IP.DST addr eq 192.168.0.208 target IP

Second, port filtering:

tcp.port EQ 80//Whether the port is source or target is displayed       Tcp.port = =       tcp.port eq 2722       tcp.port eq or udp.port eq.       TC P.dstport = = 80//Explicit TCP protocol target port       <=

Third, protocol filtering:

TCP UDP ARP ICMP HTTP SMTP ftp DNS SSL and so on

To exclude SSL packages:

!sslnot SSL

Four, packet length filter:

 -  // This length refers to the UDP itself fixed length 8 plus UDP The sum of the packet 7  // refers to IP packets (The block of data under TCP), not including TCP itself 94  // In addition to the Ethernet head fixed length of 14, the other is Ip.len, that is, from the IP itself to the last 119 // the entire packet length, starting at ETH and finally

Five, HTTP mode filtering:

Http.request.method == = = = "/img/logo-edu.gif" http contains "GET" http contains "http/  1. "

Get package

Http.request.method = = "Get"&& = = "Get" && http contains "User-agent:"

Post Package

Http.request.method = = "POST"&& = = "POST" && http contains "User-agent:"

Response Package

HTTP contains "http/1.1 OK" && http contains "content-Type:" http contains "http/< c3>1.0 OK "&& http contains" Content-type: "

Six, connector

and/or

vii. Expressions :

! (arp.src==192.168. 1.1) and! (arp.dst.proto_ipv4==192.168. 1.243)

"HTTP" Wireshark filtering rules