Wireshark basic usage and overhead rules
Wireshark basic syntax, basic usage, and packet forwarding rules:1. Filter IP addresses. For example, the source IP address or target IP address is equal to an IP address.Example: ip. src eq 192.168.1.107 or ip. dst eq 192.168.1.107 or ip. addr eq 192.168.1.107 // both the source IP address and target IP address are displayed.
The wireshark graph window example running on linux is similar to other excessive rule operations.
Ip. src eq 10.175.168.182
Example:
Tip: in the Filter editing box, if the syntax is incorrect when the income is excessive, the box is highlighted in red. If it is correct, it will be green.
2. filter port example: tcp. port eq 80 // tcp is displayed no matter whether the port is from the source or target. port = 80 tcp. port eq 2722 tcp. port eq 80 or udp. port eq 80 tcp. dstport = 80 // display only the tcp target port 80 tcp. srcport = 80 // display only the source port 80 of the tcp protocol
Udp. port EQS 15000
Filter port range: tcp. port> = 1 and tcp. port <= 80
3. Filter Protocol example: tcp udp arp icmp http smtp ftp dns msnms ip ssl oicq bootp, etc.
Exclude arp packets, such! Arp or not arp
4. filtering MAC too much to filter eth with the network header. dst = A0: 00: 00: 04: C5: 84 // filter target mac eth. src eq A0: 00: 00: 04: C5: 84 // filter source mac eth. dst = A0: 00: 00: 04: C5: 84 eth. dst = A0-00-00-04-C5-84 eth. addr eq A0: 00: 00: 04: C5: 84 // filter source MAC and target MAC are equal to A0: 00: 00: 04: C5: 84
Less than is less than <lt less than or equal to le
Equal to eq greater than gt greater than or equal to ge ne
5. packet Length Filtering example: udp. length = 26 This length refers to the fixed length of udp itself 8 plus the sum of the packets under udp tcp. len> = 7 refers to the ip packet (the data in the lower part of tcp), excluding the ip address of the tcp. len = 94 except for the fixed length 14 of the Ethernet header, all others are ip addresses. len, that is, from the ip address itself to the final frame. len = 119 the length of the entire packet, starting from eth to the end
Eth-> ip or arp-> tcp or udp-> data
6. example of http mode filtering: http. request. method = "GET" http. request. method = "POST" http. request. uri = "/img/logo-edu.gif" http contains "GET" http contains "HTTP/1."
// GET packet http. request. method = "GET" & http contains "Host:" http. request. method = "GET" & http contains "User-Agent:" // POST packet http. request. method = "POST" & http contains "Host:" http. request. method = "POST" & http contains "User-Agent:" // response packet http contains "HTTP/1.1 200 OK" & http contains "Content-Type: "http contains" HTTP/1.0 200 OK "& http contains" Content-Type: "The following Content-Type must be included:
7. TCP Parameter filtering tcp. flags displays packets containing TCP flag. Tcp. flags. syn = 0x02 displays packets containing the tcp syn flag. Tcp. window_size = 0 & tcp. flags. reset! = 1
8. Package content filtering -----------------------------------------------
Tcp [20] indicates that tcp [20:] starts from 20 and takes 1 character. tcp [20:] indicates that tcp starts from 20 and takes more than 1 character. Note: some of the content in the dotted lines failed the test on my wireshark (linux. ------------------------------------------------ Tcp [20:8] indicates that the tcp [offset, n] character starts from 20.
Udp [] = 81: 60: 03 // offset 8 bytes, and then take 3 numbers. Is it equal to the data after =? Udp [8] = 32 if I guess there is no error, it should be udp [offset: Number of interceptions] = nValue eth. addr [0: 3] = 00: 06: 5B
Example: Determine whether the first three packets under upd are equal to 0x20 0x21 0x22. We all know that the fixed udp length is 8 udp [20:21:22] =
Determine whether the first three packets of tcp are equal to 0x20 0x21 0x22 tcp. Generally, the length is 20, however, if tcp [20:21:22] = is not 20, you should first know the tcp length.
Matches (matching) and contains (including a string) syntax ip. src = 192.168.1.107 and udp [8: 5] matches "\ x02 \ x12 \ x21 \ x00 \ x22 ″------??? -------- Ip. src = 192.168.1.107 and udp contains 02: 12: 21: 00: 22 ip. src = 192.168.1.107 and tcp contains "GET" udp contains 7c: 7c: 7d: 7d match the UDP data packet that contains 0x7c7c7d7d in payload, not necessarily from the first byte.
------------------------------------ Do not understand the Begin logs example: Get the local qq login data packet (the condition is that the first packet = 0x02, the fourth and fifth packets are equal to 0x00x22, the last package is equal to 0x03) 0x02 xx 0x00 0x22... 0x03 how do I spell out considerations ??? Udp [] = indicates the command number is udp [] = 00: 80 indicates the command number is 00: 80. When the command number is 00: 80, QQ number: 00: 00: 00: 00
Obtain the account that successfully logs on to msn (the condition is "USR 7 OK", that is, the first three are equal to USR, and then go to OK through two 0x20, OK followed by a character 0x20, followed by mail) USR xx OK mail@hotmail.com correct msnms and tcp and ip. addr = 192.168.1.107 and tcp [20:] matches "^ USR \ x20 [\ x30-\ x39] + \ x20OK \ x20 [\ x00-\ xff] +"
------------------------------------- Do not understand End users ---------------------------------------------------------------------------------------
9. dns Mode Filtering
10. DHCP note: the retrieval rules of the DHCP protocol are not dhcp or DHCP, but bootp takes the search for a forged DHCP server as an example to introduce Wireshark usage. Add filter rules to the display filter to display all non-DHCP servers and bootp. type = 0x02 (Offer/Ack/NAK) Information: bootp. type = 0x02 and not ip. src = 192.168.1.1
11. msnmsnms & tcp [] = 20 // The fourth msn packet with 0x20 is msnms & tcp [20]> = 41 & tcp [20] <= 5A && tcp [21:1]> = 41 & tcp [21:1] <= 5A & tcp [22]> = 41 & tcp [22] <= 5A msnms & tcp [] = "USR" // find the packet whose command encoding is USR msnms & tcp [20:3] = "MSG" // find the packet whose command encoding is MSG tcp. port = 1863 | tcp. port = 80
How can I determine if a packet contains a command-encoded MSN packet? 1) The port is 1863 or 80, for example, tcp. port = 1863 | tcp. port = 80 2) the first three data segments are uppercase letters, such: tcp [20]> = 41 & tcp [20] <= 5A & tcp [21:1]> = 41 & tcp [21:1] <= 5A & tcp [22]> = 41 & tcp [22:1] <= 5A 3) the fourth is 0x20, for example, tcp [23] = 20 4) msn belongs to the TCP protocol, such as tcp
12. wireshark string excessive syntax characters
Rules similar to regular expressions.
1. Basic syntax characters of wireshark
\ D 0-9 Number \ D \ d supplement set (take so character as the complete set, the same below), that is, all non-digit characters \ w word characters, it refers to uppercase/lowercase letters, 0-9 numbers, underscores (_), and white spaces (\ W \ w, including line breaks \ n, carriage returns \ r, tabs \ t, vertical tabs \ v, and page breaks \ f \ S \ s. any character except linefeed \ n. In Perl, the pattern that "." can match a newline character is called "Single Line Pattern". * matches any text, excluding carriage return (\ n )? . [0x00-0xff] * matches any text, including \ n […] Match all the characters listed in [] [^…] Match characters not listed in []
---------------------------- 2. The positioning character represents a virtual character, which represents a location, you can also intuitively think that "positioning character" represents the tiny gap between a character and character.
^ The character after it must be at the start of the string $ the character before it must be at the end of the string \ B match the boundary of a word \ B match the boundary of a non-word
------------------------------ 3. Repeated description characters
{N} matches the previous CHARACTER n times {n,} matches the previous CHARACTER n times or more than n times {n, m} matches the previous CHARACTER n to m times? Match the first character 0 or 1 + match the first character 1 or more times * match the first character 0 or equal to 0
------------------------------ 4. Match with or
And or, for example, tcp and tcp. port = 80 tcp or udp
------------------------------ 5. wireshark filter matching expression instance
5.1. Search for the udp data segment payload (the number 8 indicates that the udp header has 8 bytes, and the data part starts from 9th bytes. udp [8:]) udp [8] = 14 (14 is hexadecimal 0x14) UDP data packets that match the first byte 0x14 of payload udp [] = can be udp [] = 1405, and only two bytes are supported consecutively, more than three must use colons: the delimiter indicates the hexadecimal format. (Equivalent to udp [8] = 14 and udp [9] = 1405, 1405 is 0 x) udp [] = 22: 00: f7, But udp [8: 3] = 2200f7 udp [8: 4] = 00: 04: 00: 2a, match the first four bytes of payload 0x0004002a and udp contains 7c: 7c: 7d: 7d matches UDP data packets with 0x7c7c7d7d in payload, not necessarily from the first byte. Udp [8: 4] matches \ x14 \ x05 \ x07 \ x18 "udp [8:] matches "^ \ x14 \ x05 \ x07 \ x18 \ x14 ″
5.2 search for the tcp Data Segment payload (the number 20 indicates that the tcp Header has 20 bytes, and the data part starts from 21st bytes tcp [20:]) tcp [20:] matches "^ GET [-~] * HTTP/1.1 \ x0d \ x0a "is equivalent to http matches" ^ GET [-~] * HTTP/1.1 \ x0d \ x0a"
Tcp [20:] matches "^ GET (.*?) HTTP/1.1 \ x0d \ x0a "tcp [20:] matches" ^ GET (.*?) HTTP/1.1 \ x0d \ x0a [\ x00-\ xff] * Host :(.*?) Pplive (.*?) \ X0d \ x0a "tcp [20:] matches" ^ GET (.*?) HTTP/1.1 \ x0d \ x0a [\ x00-\ xff] * Host: "tcp [20:] matches "^ POST/HTTP/1.1 \ x0d \ x0a [\ x00-\ xff] * \ x0d \ x0aConnection: keep-Alive \ x0d \ x0a \ x0d \ x0a"
Checks the SMB flag of the smb header, indicating that the smb flag starts matching at the 24byte of the tcp header. Tcp [24:4] = ff: 53: 4d: 42
Check the SMB flag of the smb header. The tcp data contains hexadecimal ff: 53: 4d: 42, which is searched from the tcp header. Tcp contains ff: 53: 4d: 42 tcp matches "\ xff \ x53 \ x4d \ x42 ″
Check that tcp contains hexadecimal 01: bd. Search for this data from the tcp header. Tcp matches "\ x01 \ xbd"
Check the RPC Request Path of MS08067 tcp [179: 13] = 00: 5c: 00: 2e: 00: 2e: 00: 5c: 00: 2e: 00: 2e: 00 \.. \.. 5.3. Other http. request. uri matches ).gif $ "matches the http request URL with a. gif character string and an http request packet ending with. GIF (4 bytes) ($ is the end of the regular expression). Note the difference: http. request. uri contains ".gif $ "contains different strings. containscontains a serial number of images. gif $" (5 bytes ). Match and filter http request data packets with a forward .gif $ "string in the http request URL (here $ is a character, not an ending character)
Eth. addr [0: 3] = 00: 1e: 4f search filters packets whose first three bytes are 0x001e4f from the MAC address.