One, the most commonly used for Wireshark is the filtering of IP addresses. There are several cases: (1) The filter of the packet with the source address 192.168.0.1, that is, the packet fetching the source address to meet the requirement. The expression is: ip.src = = 192.168.0.1 (2) filters the packets that have the destination address 192.168.0.1, that is, the packet fetching the destination address to meet the requirement. The expression is: Ip.dst = = 192.168.0.1 (3) filters the packets that have the source or destination address 192.168.0.1, that is, the IP address that satisfies the source or destination address is a 192.168.0.1 packet. The expression is: ip.addr = = 192.168.0.1, or ip.src = = 192.168.0.1 or IP.DST = 192.168.0.1 (4) to exclude the above packets, we only need to include them in parentheses, and then use "!". The expression is:! (expression)
Second, for the Protocol filtering (1) only need to capture some protocol packet, the expression is simple only need to enter the name of the protocol. The expression is: http (2) needs to capture a variety of protocol packets, and only a logical combination of the protocol can be. The expression is: http or telnet (a combination of multiple protocols plus logical symbols) (3) The packet expression excluding some protocol is: not ARP!tcp
Third, filtering for the port (depending on the Protocol) (1) The packet expression that captures one end of the packet is: Tcp.port = = 80 (2) the packets that capture the multiport port can be connected by using and, and the following are the expression expressions for capturing the high-end port: UDP . Port >= 2048
Iv. filtering for length and content (1) for the length of the filter (the length specified here is the length of the data segment) The expression is: Udp.length < http.content_length <=20 (2) for packet content Filter expression is: Http.request.uri matches "Vipscu" (matching HTTP request information containing Vipscu fields) through the most basic functions of learning, if free to play, can be flexible application, is basically a primer. The following are more complex examples (from the Wireshark Illustrated tutorial):
TCP DST Port 3128 displays packets with a destination TCP port of 3128. The IP src host 10.1.1.1 displays the packets from the source IP address as 10.1.1.1. Host 10.1.2.3 Displays the packet with the destination or source IP address of 10.1.2.3. SRC portrange 2000-2500 displays packets from UDP or TCP, and the port number is in the range of 2000 to 2500. The not IMCP displays all packets except ICMP. (ICMP is usually used by the Ping tool) SRC host 10.7.2.12 and not DST net 10.200.0.0/16 display the source IP address as 10.7.2.12, but the destination is not a 10.200.0.0/16 packet. (src host 10.4.1.12 or src net 10.6.0.0/16) and TCP DST Portrange 200-10000 and DST net 10.0.0.0/8 display source IP as 10.4.1.12 or source network for 10.6.0.0/16, the destination TCP port number is between 200 and 10000 and is intended for all packets within the network 10.0.0.0/8.
This article welcomes reproduced, annotated original source is to the original person's respect, please indicate the original source:
http://vipscu.blog.163.com/blog/static/181808372201131141348134/
Linux tcpdump Command detailed Brief Introduction
The simplest way to define tcpdump is: Dump the traffic on a network, the packet analysis tool that intercepts packets on the network according to the user's definition. Tcpdump can intercept the "head" of packets transmitted in the network and provide analysis. It supports filtering for network layers, protocols, hosts, networks, or ports, and provides logical statements such as and, or, not to help you get rid of useless information.
Practical Command Instances
Default startup
Tcpdump
Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.
Monitoring packets for a specified network interface
Tcpdump-i eth1
If you do not specify a network adapter, the default tcpdump only monitors the first network interface, typically eth0, and the following examples do not specify a network interface.
Monitoring packets for a specified host
Print all packets entering or leaving the sundown.
Tcpdump Host Sundown
You can also specify IP, such as intercepting all packets received and emitted by all 210.27.48.1 hosts
Print a packet of Helios and hot or communication with Ace
Tcpdump host Helios and \ (hot or ACE \)
Interception of communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3
Print an IP packet that communicates between the ACE and any other host, but does not include packets between the Helios.
Tcpdump IP host ace and not Helios
If you want to get the host 210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2, use the command:
Tcpdump IP host 210.27.48.1 and! 210.27.48.2
Intercepts all data sent by host hostname
Tcpdump-i eth0 SRC host hostname
Monitor all packets sent to host hostname
Tcpdump-i eth0 DST host hostname
Monitor packets for the specified host and port
If you want to obtain a telnet package that the host 210.27.48.1 receives or emits, use the following command
Tcpdump TCP port and host 210.27.48.1
Monitoring the UDP 123 port on this machine 123 is the service port for NTP
Monitoring packets for a specified network
Print all communication packets between the local host and the host on the Berkeley Network (NT:UCB-E