Wireshark basic usage and overhead rules

Source: Internet
Author: User

Wireshark basic usage and overhead rules
Wireshark basic syntax, basic usage, and packet forwarding rules:1. Filter IP addresses. For example, the source IP address or target IP address is equal to an IP address.Example: ip. src eq 192.168.1.107 or ip. dst eq 192.168.1.107 or ip. addr eq 192.168.1.107 // both the source IP address and target IP address are displayed.

The wireshark graph window example running on linux is similar to other excessive rule operations.

Ip. src eq 10.175.168.182

Example:

Tip: in the Filter editing box, if the syntax is incorrect when the income is excessive, the box is highlighted in red. If it is correct, it will be green.


2. filter port example: tcp. port eq 80 // tcp is displayed no matter whether the port is from the source or target. port = 80tcp. port eq 2722tcp. port eq 80 or udp. port eq 80tcp. dstport = 80 // only display the tcp target port 80 tcp. srcport = 80 // display only the source port 80 of the tcp protocol

Udp. port EQS 15000

Filter port range: tcp. port> = 1 and tcp. port <= 80

3. Example of a filtering protocol: tcpudparpicmphttpsmtpftpdnsmsnmsipssloicqbootp

Exclude arp packets, such! Arp or not arp


4. filtering MAC too much to filter eth with the network header. dst = A0: 00: 00: 04: C5: 84 // filter the target maceth. src eq A0: 00: 00: 04: C5: 84 // filter the source maceth. dst = A0: 00: 00: 04: C5: 84eth. dst = A0-00-00-04-C5-84eth.addr eq A0: 00: 00: 04: C5: 84 // filter source MAC and target MAC are equal to A0: 00: 00: 04: C5: 84

Less than is less than <lt less than or equal to le

Equal to eq greater than gt greater than or equal to ge ne

5. packet Length Filtering example: udp. length = 26 This length refers to the fixed length of udp itself 8 plus the sum of the packets under udp tcp. len> = 7 refers to the ip packet (the data in the lower part of tcp), excluding the ip address of the tcp. len = 94 except for the fixed length 14 of the Ethernet header, all others are ip addresses. len, that is, from the ip address itself to the final frame. len = 119 the length of the entire packet, starting from eth to the end

Eth-> ip or arp-> tcp or udp-> data


6. example of http mode filtering: http. request. method = "GET" http. request. method = "POST" http. request. uri = "/img/logo-edu.gif" http contains "GET" http contains "HTTP/1."

// GET packet http. request. method = "GET" & http contains "Host:" http. request. method = "GET" & http contains "User-Agent:" // POST packet http. request. method = "POST" & http contains "Host:" http. request. method = "POST" & http contains "User-Agent:" // response packet http contains "HTTP/1.1 200 OK" & http contains "Content-Type: "http contains" HTTP/1.0 200 OK "& http contains" Content-Type: "The following Content-Type must be included:

7. TCP Parameter filtering tcp. flags displays packets containing TCP flag. Tcp. flags. syn = 0x02 displays packets containing the tcp syn flag. Tcp. window_size = 0 & tcp. flags. reset! = 1

8. Package content filtering -----------------------------------------------

Tcp [20] indicates that tcp [20:] starts from 20 and takes 1 character. tcp [20:] indicates that tcp starts from 20 and takes more than 1 character. Note: some of the content in the dotted lines failed the test on my wireshark (linux. ------------------------------------------------ Tcp [20:8] indicates that the tcp [offset, n] character starts from 20.

Udp [] = 81: 60: 03 // offset 8 bytes, and then take 3 numbers. Is it equal to the data after =? Udp [8] = 32 if I guess there is no error, it should be udp [offset: Number of interceptions] = nValueeth. addr [0: 3] = 00: 06: 5B

Example: Determine whether the first three data packets under upd are equal to 0x20 0x21 0x22. We all know that the fixed udp length is 8 udp [20:21:22] =

Determine whether the first three packets of tcp are equal to 0x20 0x21 0x22tcp. Generally, the length is 20, however, if tcp [20:21:22] = is not 20, you should first know the tcp length.

Matches (matching) and contains (including a string) syntax ip. src = 192.168.1.107 and udp [8: 5] matches "\ x02 \ x12 \ x21 \ x00 \ x22 ″------??? -------- Ip. src = 192.168.1.107 and udp contains 02: 12: 21: 00: 22ip. src = 192.168.1.107 and tcp contains "GET" udp contains 7c: 7c: 7d: 7d match the UDP data packet that contains 0x7c7c7d7d in payload, not necessarily from the first byte.


------------------------------------ Do not understand the Begin logs example: Get the local qq login data packet (the condition is that the first packet = 0x02, the fourth and fifth packets are equal to 0x00x22, the last package is equal to 0x03) 0x02 xx 0x00 0x22... 0x03 how do I spell out considerations ??? Udp [11: 2] = 00: 00 indicates the command number is 00: 00udp [11: 2] = 00: 80 indicates the command number is 00: 80. When the command number is 00: 80, QQ number: 00: 00: 00: 00

Obtain the account that successfully logs on to msn (the condition is "USR 7 OK", that is, the first three are equal to USR, and then go to OK through two 0x20, OK followed by a character 0x20, followed by mail) USR xx OK mail@hotmail.com correct msnms and tcp and ip. addr = 192.168.1.107 and tcp [20:] matches "^ USR \ x20 [\ x30-\ x39] + \ x20OK \ x20 [\ x00-\ xff] +"

------------------------------------- Do not understand End users ---------------------------------------------------------------------------------------

9. dns Mode Filtering

10. DHCP note: the retrieval rules of the DHCP protocol are not dhcp or DHCP, but bootp takes the search for a forged DHCP server as an example to introduce Wireshark usage. Add filter rules to the display filter to display all non-DHCP servers and bootp. type = 0x02 (Offer/Ack/NAK) Information: bootp. type = 0x02 and not ip. src = 192.168.1.1

11. msnmsnms & tcp [] = 20 // The fourth msn packet with 0x20 is msnms & tcp [20]> = 41 & tcp [20] <= 5A && tcp [21:1]> = 41 & tcp [21:1] <= 5A & tcp [22]> = 41 & tcp [22] <= 5 Amsnms & tcp [] = "USR" // find the packet whose command encoding is USR msnms & tcp [20:3] = "MSG" // find the packet whose command encoding is MSG tcp. port = 1863 | tcp. port = 80

How can I determine if a packet contains a command-encoded MSN packet? 1) The port is 1863 or 80, for example, tcp. port = 1863 | tcp. port = 802) the first three data segments are uppercase letters, such: tcp [20]> = 41 & tcp [20] <= 5A & tcp [21:1]> = 41 & tcp [21:1] <= 5A & tcp [22]> = 41 & tcp [22:1] <= 5A3) the fourth is 0x20, for example, tcp [23] = 204). msn belongs to the TCP protocol, for example, tcp

MSN Messenger protocol analysis http://blog.csdn.net/Hopping/archive/2008/11/13/3292257.aspx

MSN protocol http://blog.csdn.net/lzyzuixin/archive/2009/03/13/3986597.aspx

More detailed description <wireshark filter expression instance introduction> http://www.csna.cn/viewthread.php? Tid = 14614

Wireshark main interface operation menu Comparison between Chinese and English http://www.csna.cn/viewthread.php? Tid = 9645 & extra = page = 1

12. The wireshark string contains the following syntax characters:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.