Wireshark Practical filter expressions (for IP, protocol, port, length, and content) examples

First of all, say a few of the most commonly used keywords, "eq" and "= =" equivalent, you can use "and" and, "or" means or. "!" and "not" both denote inversion.

　　First, the most commonly used for Wireshark is the nature of IP address filtering.　　 There are several situations: (1) The filtering of packets with the source address 192.168.0.1, that is, the packets that fetch the source address to satisfy the requirements.　　 The         expression is: Ip.src == 192.168.0.1 (2) filtering packets with a destination address of 192.168.0.1, that is, packets that fetch the destination address to meet the requirements.　　        expression: Ip.dst == 192.168.0.1　　 (3) Filtering of packets with source or destination address 192.168.0.1, that is, the packet that fetches the IP address that satisfies the source or destination address is 192.168.0.1.         expression: ip.addr == 192.168.0.1, or  ip.src == 192.168.0.1 or ip.dst = =　　  192.168.0.1 (4) to exclude the above packet, we just need to enclose it in parentheses and then use "!".         expressions are:! (expression)   Second, Filter for Protocol (1) only need to capture the packet of some protocol, the expression is simple only need to input the name of the protocol.　　                  The expression is: HTTP (2) requires a packet that captures multiple protocols, and only a logical combination of the protocols.         expression: http or Telnet (a combination of multiple protocols plus logical symbols) (3) excludes packets of some kind of protocol         expression: not AR P      !tcp  third, filter for port (depending on protocol) (1) Capture packet at one port         expression: Tcp.port = = 80 (2) capture Multiport packets, which can be connected using and, below are the expressions that capture high-end ports         Expressions: UDp.port >= 2048  iv. filtering for length and content (1) for the length of the filter (length specified here is the length of the data segment)         expression: Udp.length < 30   Http.content_length <=20 (2) filter   expression for packet content: Http.request.uri matches "Vipscu"   (matching HTTP request contains VIPSC u field request information) through the above basic functions of learning, if free to play, can be applied flexibly, is basically a primer. The following are more complex examples (from the Wireshark Illustrated tutorial): 

TCP DST Port 3128

displays packets for the destination TCP port of 3128. IP src host 10.1.1.1 displays packets with a source IP address of 10.1.1.1. Host 10.1.2.3 Displays the destination or packet with the source IP address 10.1.2.3. SRC portrange 2000-2500 shows packets that originate from UDP or TCP, and the port number is within the range of 2000 to 2500. Not IMCP shows all packets except ICMP. (ICMP is usually used by the Ping tool) SRC host 10.7.2.12 and not DST net 10.200.0.0/16 displays the source IP address of 10.7.2.12, but the destination is not a 10.200.0.0/16 packet. (src host 10.4.1.12 or src net 10.6.0.0/16) and TCP DST Portrange 200-10000 and DST net 10.0.0.0/8 show source IP for 10.4.1.12 or source network to 1 0.6.0.0/16, the destination TCP port number is between 200 and 10000 and is intended to be in all packets within the network 10.0.0.0/8.

Wireshark Practical filter expressions (for IP, protocol, port, length, and content) example introduction (RPM)