Wireshark basic usage and the rules of the filtration

Source: Internet
Author: User

Wireshark basic syntax, basic usage, and packet-filtration rules: 1. Filter IP, such as source IP or destination IP equals an IPExample: IP.SRC eq 192.168.1.107 or IP.DST eq 192.168.1.107 or IP.ADDR eq 192.168.1.107//Can both show source IP and destination IP

Examples of Wireshark graphics Windows running on Linux, other worry-rule actions are similar, no longer.

IP.SRC eq 10.175.168.182

Example:

Tip: In the filter edit box, if the syntax is incorrect, the box will appear red, as correct, and will be green.

2. Filter Port Example: Tcp.port EQ 80//Whether the port is source or target is displayed tcp.port = = 80tcp.port eq 2722tcp.port eq or udp.port eq 80tcp.dstport = 8 0//Explicit TCP protocol destination port 80tcp.srcport = = 80//Only the source port of TCP protocol 80

Udp.port eq 15000

Filter port range Tcp.port >= 1 and Tcp.port <= 80

3. Filter protocol Example: TCPUDPARPICMPHTTPSMTPFTPDNSMSNMSIPSSLOICQBOOTP, etc.

Exclude ARP packets, such as!arp or not ARP

4. Filter Mac too with mesh head filter ETH.DST = = a0:00:00:04:c5:84//filter target MACETH.SRC eq a0:00:00:04:c5:84//filter Source MACETH.DST==A0:00:00:04:C5 : 84ETH.DST==A0-00-00-04-C5-84ETH.ADDR eq a0:00:00:04:c5:84//filter source Mac and Target Mac are equal to a0:00:00:04:c5:84

Less than smaller than < LT is less than or equal to Le

equals EQ greater than GT equals GE unequal NE

5. Packet Length Filter Example: udp.length = = 26 This length refers to the UDP itself fixed length 8 plus UDP The sum of the packet Tcp.len >= 7 refers to the IP packet (the block under TCP), not including TCP itself Ip.len = = 94 In addition to Ethernet Head fixed length 14, others are Ip.len, that is, from the IP itself to the last Frame.len = = 119 The entire packet length, from the ETH start to the last

eth-> IP or arp-> TCP or udp-> data

6.http Mode Filter Example: Http.request.method = = "GET" Http.request.method = = "POST" Http.request.uri = = "/img/logo-edu.gif" http Contains "GET" http contains "HTTP/1."

Get package Http.request.method = = "Get" && http contains "Host:" Http.request.method = = "Get" && http contains "User-agent:"//post Package Http.request.method = = "POST" && http contains "Host:" Http.request.method = = "POST" && Amp HTTP contains "User-agent:"//Response packet http contains "http/1.1 OK" && http contains "Content-type:" http contains " http/1.0 "&& http contains" Content-type: "must contain the following content-type:

7.TCP parameter filtering Tcp.flags displays packets that contain the TCP flag. Tcp.flags.syn = = 0x02 Displays packets containing the TCP SYN flag. Tcp.window_size = = 0 && Tcp.flags.reset! = 1

8. Package Content Filtering-----------------------------------------------

TCP[20] means starting from 20, taking 1 characters tcp[20:] means starting from 20, taking 1 characters above note: The contents of the two dashed lines were not tested on my Wireshark (Linux). --------------------------------------------------Tcp[20:8] means starting from 20, taking 8 characters Tcp[offset,n]

UDP[8:3]==81:60:03//Offset 8 bytes, and then 3 numbers, is it equal to the data behind = = =? udp[8:1]==32 If I guess not wrong, it should be udp[offset: Intercept number]=nvalueeth.addr[0:3]==00:06:5b

Example: Determine if the first three packets below the upd are equal to 0x20 0x21 0x22 We all know that the UDP fixed length is 8udp[8:3]==20:21:22

Determine whether the first three TCP packet is equal to 0x20 0x21 0x22tcp Generally, the length is 20, but there is not 20 when tcp[8:3]==20:21:22 if you want to get the most accurate, you should first know the TCP length

Matches (match) and contains (contains a string) syntax ip.src==192.168.1.107 and Udp[8:5] matches "\\x02\\x12\\x21\\x00\\x22″------??? --------ip.src==192.168.1.107 and UDP contains 02:12:21:00:22ip.src==192.168.1.107 and TCP contains "GET" UDP contains 7c : 7c:7d:7d matches UDP packets containing 0x7c7c7d7d in payload, not necessarily from the first byte.

--------------------------------------don't understand the begin--------------------------------------------------------------------------- ---------Example: Get local QQ landing packet (judging condition is the first packet ==0x02, fourth and fifth package equals 0x00x22, the last packet equals 0x03) 0x02 xx xx 0x00 0x22 ...    0x03 How to spell the filter condition??? UDP[11:2]==00:00 indicates that the command number is 00:00udp[11:2]==00:80 and the command number is 00:80 when the command number is 00:80, the QQ number is 00:00:00:00

Get MSN Login Success Account (judging condition is "usr 7 ok", that is, the first three is equal to USR, and then through two 0x20, to Ok,ok behind is a character 0x20, followed by mail) USR xx OK [email protected] correct MSNMS and TCP and Ip.addr==192.168.1.107 and tcp[20:] matches "^usr\\x20[\\x30-\\x39]+\\x20ok\\x20[\\x00-\\xff]+"

-------------------------------------Don't understand end------------------------------------------------------------------------------ ---------

9.dns Mode filtering

10.DHCP Note: The DHCP protocol retrieval rule is not dhcp/dhcp, but BOOTP is looking for a fake DHCP server as an example to introduce the use of Wireshark. Add filtering rules to the display filter to show all information that is not from the DHCP server and bootp.type==0x02 (Offer/ack/nak): bootp.type==0x02 and not ip.src==192.168.1.1

11.msn msnms && tcp[23:1] = = 20//Fourth is 0x20 MSN Packet msnms && tcp[20:1] >= x && tcp[20:1] <= 5 A && tcp[21:1] >= && tcp[21:1] <= 5A && tcp[22:1] >= + && tcp[22:1] <= 5Am Snms && tcp[20:3]== "usr"///Find command encoding is USR packet msnms && tcp[20:3]== "MSG"//Find command encoding is MSG packet Tcp.port = = 1863 | | Tcp.port = = 80

How can I tell if a packet is an MSN packet with a command code? 1) Port 1863 or 80, e.g. Tcp.port = = 1863 | | Tcp.port = = 802) Data This paragraph of the first three is capital letters, such as: Tcp[20:1] >= x && tcp[20:1] <= 5A && tcp[21:1] >= x && t Cp[21:1] <= 5A && tcp[22:1] >= x && tcp[22:1] <= 5A3) fourth for 0x20, such as: tcp[23:1] = = 204) MSN is a TCP protocol, such as T Cp

MSN Messenger Protocol Analysis http://blog.csdn.net/Hopping/archive/2008/11/13/3292257.aspx

MSN Protocol Analysis Http://blog.csdn.net/lzyzuixin/archive/2009/03/13/3986597.aspx

For a more detailed description of the <<wireshark filter expression example introduced >>http://www.csna.cn/viewthread.php?tid=14614

Wireshark the main interface of the Operation menu in English vs. http://www.csna.cn/viewthread.php?tid=9645&extra=page=1

The Wireshark string-over-syntax characters are as follows: http://www.csna.cn/viewthread.php?tid=14614

Rules that resemble regular expressions.

1. Wireshark Basic Grammatical characters

\d 0-9 of the number \d \d complement (so the word identifier complete, the same below), that is, all non-numeric characters \w word characters, refers to uppercase and lowercase letters, 0-9 of the number, underscore \w \w the complement \s empty          White characters, including newline characters \ n, carriage return \ r, tab \ T, vertical tab \v, page break \f\s \s complement. Any characters except the newline character \ n. In Perl, the "." Patterns that can match new line breaks are called "single-line mode." * Match any text, not including carriage return (\ n)?          And, [0x00-0xff]* matches any text, including \n[...]          Match all characters listed in [] [^ ...] Match characters that are not listed in []

—————————————————————————————-2, the positioning character represents a virtual character, it represents a position, you can also intuitively think that "positioning character" represents a character and the small gap between characters.

^ indicates that the character after it must be at the beginning of the string means that the character preceding it must be at the end of the string \b match the boundary of a word \b match a non-word boundary

—————————————————————————————-3, repeat description character

{n} matches the preceding character n times {n} matches the preceding character n times or more than n times {n,m} matches the preceding character N to M times? Matches the preceding character 0 or 1 times + matches the preceding character 1 times or more than 1 times * matches the preceding character 0 times or 0 times

—————————————————————————————-4, and or match

and symbols and or symbols or for example: TCP and Tcp.port==80tcp or UDP

—————————————————————————————-5, Wireshark filter matching expression instances

5.1, the search conditionally filter UDP data segment Payload (the number 8 is that the UDP header has 8 bytes, the data portion starts from the 9th Byte Udp[8:]) udp[8]==14 (14 is hexadecimal 0x14) UDP packets Matching payload first byte 0x14 udp[8:2]==14:05 can be udp[8:2]==1405 and support only 2 bytes in succession, three or more must use a colon: delimited to denote hexadecimal. (equivalent to udp[8]==14 and udp[9]==05,1405 is 0x1405) udp[8:3]==22:00:f7 but not udp[8:3]==2200f7udp[8:4]==00:04:00:2a, Match the first 4 bytes of the payload 0x0004002a while the UDP contains 7c:7c:7d:7d matches the UDP packets that contain payload in 0x7c7c7d7d, not necessarily from the first byte. Udp[8:4] matches "\\x14\\x05\\x07\\x18″udp[8:] matches" ^\\x14\\x05\\x07\\x18\\x14″

5.2, search conditionally filter TCP Data segment payload (the number 20 is that the TCP header has 20 bytes, the data portion starts from the 21st byte tcp[20:]) tcp[20:] matches "^get [-~]*http/1.1\\x0d\\x0a "Equivalent to HTTP matches" ^get [-~]*http/1.1\\x0d\\x0a "

TCP[20:] matches "^get (. *?) http/1.1\\x0d\\x0a "TCP[20:] matches" ^get (. *?) Http/1.1\\x0d\\x0a[\\x00-\\xff]*host: (. *?) PPLive (. *?) \\x0d\\x0a "TCP[20:] matches" ^get (. *?) Http/1.1\\x0d\\x0a[\\x00-\\xff]*host: "TCP[20:] matches" ^post/http/1.1\\x0d\\x0a[\\x00-\\xff]*\\x0d\\ x0aconnection:keep-alive\\x0d\\x0a\\x0d\\x0a "

Detects SMB tokens for SMB headers, indicating that the SMB tag starts at the location of TCP header 24byte. Tcp[24:4] = = ff:53:4d:42

The SMB token for the SMB header is detected, and the TCP data contains 16 binary ff:53:4d:42, which is searched from the TCP header. TCP contains FF:53:4D:42TCP matches "\\xff\\x53\\x4d\\x42″

Detects that TCP contains a hexadecimal 01:bd, starting from the TCP header to search for this data. TCP matches "\\X01\\XBD"

Detects MS08067 RPC request path tcp[179:13] = = 00:5c:00:2e:00:2e:00:5c:00:2e:00:2e:00 \.     .     \     . .5.3, other Http.request.uri matches ". gif$" match the HTTP request packet that filters HTTP with the ". gif" string and ends with a. gif (4 bytes) Is the ending expression in the regular expression) Note the difference: Http.request.uri contains ". gif$" differs from this, contains is the containing string ". gif$" (5 bytes). HTTP request packet with ". gif$" string in the request URI that matches the filter HTTP (here $ is a character, not a trailing symbol)

ETH.ADDR[0:3]==00:1E:4F Search Filters The first 3 bytes of the MAC address are 0x001e4f packets.

Wireshark basic usage and the rules of the filtration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.