Wireshark basic usage and overhead rules
Wireshark basic syntax, basic usage, and packet forwarding rules:1. Filter IP addresses. For example, the source IP address or target IP address is equal to an IP address.Example: ip. src eq 192.168.1.107 or ip. dst eq 192.168.1.107 or ip. addr eq 192.168.1.107 // both the source IP address and target IP address are displayed.
The wireshark graph window example running on linux is similar to other excessive rule operations.
Ip. src eq 10.175.168.182
Example:
Tip: in the Filter editing box, if the syntax is incorrect when the income is excessive, the box is highlighted in red. If it is correct, it will be green.
2. filter port example: tcp. port eq 80 // tcp is displayed no matter whether the port is from the source or target. port = 80tcp. port eq 2722tcp. port eq 80 or udp. port eq 80tcp. dstport = 80 // only display the tcp target port 80 tcp. srcport = 80 // display only the source port 80 of the tcp protocol
Udp. port EQS 15000
Filter port range: tcp. port> = 1 and tcp. port <= 80
3. Example of a filtering protocol: tcpudparpicmphttpsmtpftpdnsmsnmsipssloicqbootp
Exclude arp packets, such! Arp or not arp
4. filtering MAC too much to filter eth with the network header. dst = A0: 00: 00: 04: C5: 84 // filter the target maceth. src eq A0: 00: 00: 04: C5: 84 // filter the source maceth. dst = A0: 00: 00: 04: C5: 84eth. dst = A0-00-00-04-C5-84eth.addr eq A0: 00: 00: 04: C5: 84 // filter source MAC and target MAC are equal to A0: 00: 00: 04: C5: 84
Less than is less than <lt less than or equal to le
Equal to eq greater than gt greater than or equal to ge ne
5. packet Length Filtering example: udp. length = 26 This length refers to the fixed length of udp itself 8 plus the sum of the packets under udp tcp. len> = 7 refers to the ip packet (the data in the lower part of tcp), excluding the ip address of the tcp. len = 94 except for the fixed length 14 of the Ethernet header, all others are ip addresses. len, that is, from the ip address itself to the final frame. len = 119 the length of the entire packet, starting from eth to the end
Eth-> ip or arp-> tcp or udp-> data
6. example of http mode filtering: http. request. method = "GET" http. request. method = "POST" http. request. uri = "/img/logo-edu.gif" http contains "GET" http contains "HTTP/1."
// GET packet http. request. method = "GET" & http contains "Host:" http. request. method = "GET" & http contains "User-Agent:" // POST packet http. request. method = "POST" & http contains "Host:" http. request. method = "POST" & http contains "User-Agent:" // response packet http contains "HTTP/1.1 200 OK" & http contains "Content-Type: "http contains" HTTP/1.0 200 OK "& http contains" Content-Type: "The following Content-Type must be included:
7. TCP Parameter filtering tcp. flags displays packets containing TCP flag. Tcp. flags. syn = 0x02 displays packets containing the tcp syn flag. Tcp. window_size = 0 & tcp. flags. reset! = 1
8. Package content filtering -----------------------------------------------
Tcp [20] indicates that tcp [20:] starts from 20 and takes 1 character. tcp [20:] indicates that tcp starts from 20 and takes more than 1 character. Note: some of the content in the dotted lines failed the test on my wireshark (linux. ------------------------------------------------ Tcp [20:8] indicates that the tcp [offset, n] character starts from 20.
Udp [] = 81: 60: 03 // offset 8 bytes, and then take 3 numbers. Is it equal to the data after =? Udp [8] = 32 if I guess there is no error, it should be udp [offset: Number of interceptions] = nValueeth. addr [0: 3] = 00: 06: 5B
Example: Determine whether the first three data packets under upd are equal to 0x20 0x21 0x22. We all know that the fixed udp length is 8 udp [20:21:22] =
Determine whether the first three packets of tcp are equal to 0x20 0x21 0x22tcp. Generally, the length is 20, however, if tcp [20:21:22] = is not 20, you should first know the tcp length.
Matches (matching) and contains (including a string) syntax ip. src = 192.168.1.107 and udp [8: 5] matches "\ x02 \ x12 \ x21 \ x00 \ x22 ″------??? -------- Ip. src = 192.168.1.107 and udp contains 02: 12: 21: 00: 22ip. src = 192.168.1.107 and tcp contains "GET" udp contains 7c: 7c: 7d: 7d match the UDP data packet that contains 0x7c7c7d7d in payload, not necessarily from the first byte.
------------------------------------ Do not understand the Begin logs example: Get the local qq login data packet (the condition is that the first packet = 0x02, the fourth and fifth packets are equal to 0x00x22, the last package is equal to 0x03) 0x02 xx 0x00 0x22... 0x03 how do I spell out considerations ??? Udp [11: 2] = 00: 00 indicates the command number is 00: 00udp [11: 2] = 00: 80 indicates the command number is 00: 80. When the command number is 00: 80, QQ number: 00: 00: 00: 00
Obtain the account that successfully logs on to msn (the condition is "USR 7 OK", that is, the first three are equal to USR, and then go to OK through two 0x20, OK followed by a character 0x20, followed by mail) USR xx OK mail@hotmail.com correct msnms and tcp and ip. addr = 192.168.1.107 and tcp [20:] matches "^ USR \ x20 [\ x30-\ x39] + \ x20OK \ x20 [\ x00-\ xff] +"
------------------------------------- Do not understand End users ---------------------------------------------------------------------------------------
9. dns Mode Filtering
10. DHCP note: the retrieval rules of the DHCP protocol are not dhcp or DHCP, but bootp takes the search for a forged DHCP server as an example to introduce Wireshark usage. Add filter rules to the display filter to display all non-DHCP servers and bootp. type = 0x02 (Offer/Ack/NAK) Information: bootp. type = 0x02 and not ip. src = 192.168.1.1
11. msnmsnms & tcp [] = 20 // The fourth msn packet with 0x20 is msnms & tcp [20]> = 41 & tcp [20] <= 5A && tcp [21:1]> = 41 & tcp [21:1] <= 5A & tcp [22]> = 41 & tcp [22] <= 5 Amsnms & tcp [] = "USR" // find the packet whose command encoding is USR msnms & tcp [20:3] = "MSG" // find the packet whose command encoding is MSG tcp. port = 1863 | tcp. port = 80
How can I determine if a packet contains a command-encoded MSN packet? 1) The port is 1863 or 80, for example, tcp. port = 1863 | tcp. port = 802) the first three data segments are uppercase letters, such: tcp [20]> = 41 & tcp [20] <= 5A & tcp [21:1]> = 41 & tcp [21:1] <= 5A & tcp [22]> = 41 & tcp [22:1] <= 5A3) the fourth is 0x20, for example, tcp [23] = 204). msn belongs to the TCP protocol, for example, tcp
MSN Messenger protocol analysis http://blog.csdn.net/Hopping/archive/2008/11/13/3292257.aspx
MSN protocol http://blog.csdn.net/lzyzuixin/archive/2009/03/13/3986597.aspx
More detailed description <wireshark filter expression instance introduction> http://www.csna.cn/viewthread.php? Tid = 14614
Wireshark main interface operation menu Comparison between Chinese and English http://www.csna.cn/viewthread.php? Tid = 9645 & extra = page = 1
12. The wireshark string contains the following syntax characters: