Tcpdump Wireshark Practical Filter expression (for IP, protocol, port, length and content)

Source: Internet
Author: User
One, the most commonly used for Wireshark is the filtering of IP addresses.            There are several cases: (1) The filter of the packet with the source address 192.168.0.1, that is, the packet fetching the source address to meet the requirement.            The expression is: ip.src = = 192.168.0.1 (2) filters the packets that have the destination address 192.168.0.1, that is, the packet fetching the destination address to meet the requirement.            The expression is: Ip.dst = = 192.168.0.1 (3) filters the packets that have the source or destination address 192.168.0.1, that is, the IP address that satisfies the source or destination address is a 192.168.0.1 packet.            The expression is: ip.addr = = 192.168.0.1, or ip.src = = 192.168.0.1 or IP.DST = 192.168.0.1 (4) to exclude the above packets, we only need to include them in parentheses, and then use "!". The expression is:! (expression)
Second, for the Protocol filtering (1) only need to capture some protocol packet, the expression is simple only need to enter the name of the protocol.            The expression is: http (2) needs to capture a variety of protocol packets, and only a logical combination of the protocol can be. The expression is: http or telnet (a combination of multiple protocols plus logical symbols) (3) The packet expression excluding some protocol is: not ARP!tcp
Third, filtering for the port (depending on the Protocol) (1) The packet expression that captures one end of the packet is: Tcp.port = = 80 (2) the packets that capture the multiport port can be connected by using and, and the following are the expression expressions for capturing the high-end port: UDP . Port >= 2048
Iv. filtering for length and content (1) for the length of the filter (the length specified here is the length of the data segment) The expression is: Udp.length < http.content_length <=20 (2) for packet content Filter expression is: Http.request.uri matches "Vipscu" (matching HTTP request information containing Vipscu fields) through the most basic functions of learning, if free to play, can be flexible application, is basically a primer. The following are more complex examples (from the Wireshark Illustrated tutorial):
TCP DST Port 3128 displays packets with a destination TCP port of 3128. The IP src host 10.1.1.1 displays the packets from the source IP address as 10.1.1.1. Host 10.1.2.3 Displays the packet with the destination or source IP address of 10.1.2.3. SRC portrange 2000-2500 displays packets from UDP or TCP, and the port number is in the range of 2000 to 2500. The not IMCP displays all packets except ICMP. (ICMP is usually used by the Ping tool) SRC host 10.7.2.12 and not DST net 10.200.0.0/16 display the source IP address as 10.7.2.12, but the destination is not a 10.200.0.0/16 packet. (src host 10.4.1.12 or src net 10.6.0.0/16) and TCP DST Portrange 200-10000 and DST net 10.0.0.0/8 display source IP as 10.4.1.12 or source network for 10.6.0.0/16, the destination TCP port number is between 200 and 10000 and is intended for all packets within the network 10.0.0.0/8.
This article welcomes reproduced, annotated original source is to the original person's respect, please indicate the original source:

http://vipscu.blog.163.com/blog/static/181808372201131141348134/

Linux tcpdump Command detailed Brief Introduction

The simplest way to define tcpdump is: Dump the traffic on a network, the packet analysis tool that intercepts packets on the network according to the user's definition. Tcpdump can intercept the "head" of packets transmitted in the network and provide analysis. It supports filtering for network layers, protocols, hosts, networks, or ports, and provides logical statements such as and, or, not to help you get rid of useless information.

Practical Command Instances

Default startup

Tcpdump

Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.


Monitoring packets for a specified network interface

Tcpdump-i eth1

If you do not specify a network adapter, the default tcpdump only monitors the first network interface, typically eth0, and the following examples do not specify a network interface.

Monitoring packets for a specified host

Print all packets entering or leaving the sundown.

Tcpdump Host Sundown

You can also specify IP, such as intercepting all packets received and emitted by all 210.27.48.1 hosts

Print a packet of Helios and hot or communication with Ace

Tcpdump host Helios and \ (hot or ACE \)

Interception of communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3

Print an IP packet that communicates between the ACE and any other host, but does not include packets between the Helios.

Tcpdump IP host ace and not Helios

If you want to get the host 210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2, use the command:

Tcpdump IP host 210.27.48.1 and! 210.27.48.2

Intercepts all data sent by host hostname

Tcpdump-i eth0 SRC host hostname

Monitor all packets sent to host hostname

Tcpdump-i eth0 DST host hostname


Monitor packets for the specified host and port

If you want to obtain a telnet package that the host 210.27.48.1 receives or emits, use the following command

Tcpdump TCP port and host 210.27.48.1

Monitoring the UDP 123 port on this machine 123 is the service port for NTP


Monitoring packets for a specified network

Print all communication packets between the local host and the host on the Berkeley Network (NT:UCB-E

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.