Reference: http://jingyan.baidu.com/article/454316ab593170f7a6c03a60.html
Statement features: protocol. Properties
First, IP filtering:
Include source IP or destination IP equals an IP such as:
IP.SRC eq 192.168.10.130
Ip.src addr eq 192.168.0.208 Source IP ip.dst addr==192.168.0.208
IP.DST addr eq 192.168.0.208 target IP
Second, port filtering:
tcp.port EQ 80//Whether the port is source or target is displayed Tcp.port = = tcp.port eq 2722 tcp.port eq or udp.port eq. TC P.dstport = = 80//Explicit TCP protocol target port <=
Third, protocol filtering:
TCP UDP ARP ICMP HTTP SMTP ftp DNS SSL and so on
To exclude SSL packages:
!sslnot SSL
Four, packet length filter:
- // This length refers to the UDP itself fixed length 8 plus UDP The sum of the packet 7 // refers to IP packets (The block of data under TCP), not including TCP itself 94 // In addition to the Ethernet head fixed length of 14, the other is Ip.len, that is, from the IP itself to the last 119 // the entire packet length, starting at ETH and finally
Five, HTTP mode filtering:
Http.request.method == = = = "/img/logo-edu.gif" http contains "GET" http contains "http/ 1. "
Get package
Http.request.method = = "Get"&& = = "Get" && http contains "User-agent:"
Post Package
Http.request.method = = "POST"&& = = "POST" && http contains "User-agent:"
Response Package
HTTP contains "http/1.1 OK" && http contains "content-Type:" http contains "http/< c3>1.0 OK "&& http contains" Content-type: "
Six, connector
and/or
vii. Expressions :
! (arp.src==192.168. 1.1) and! (arp.dst.proto_ipv4==192.168. 1.243)
"HTTP" Wireshark filtering rules