wireshark filter using

Reprinted from https://blog.csdn.net/cumirror/article/details/7054496
First of all, please note that if you use localhost or 127.0.0.1 for testing, the traffic does not pass through the computer network card, so WireShark cannot capture packets. If you want to capture local packages, refer to How WireShark captures local localhost packages

Wireshark basic syntax, basic usage, and packet filtering rules:
1. Filter IP, such as source IP or destination IP is equal to a certain IP

example:

ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107

or

ip.addr eq 192.168.1.107 // both can display source IP and destination IP

An example of a screenshot of the wireshark graphics window running on Linux. The operations of other filtering rules are similar, and no screenshots will be taken.

ip.src eq 10.175.168.182

Screenshot example:

Tips: In the Filter edit box, if the syntax is wrong, the box will be red, and if it is correct, it will be green.

2. Filter port

example:

tcp.port eq 80 // Display whether the port is source or destination

tcp.port == 80

tcp.port eq 2722

tcp.port eq 80 or udp.port eq 80

tcp.dstport == 80 // Only display the target port 80 of the tcp protocol

tcp.srcport == 80 // Only display the source port 80 of the tcp protocol

udp.port eq 15000

filter port range

tcp.port >= 1 and tcp.port <= 80

3. Filter protocol

example:

tcp

udp

arp

icmp

http

smtp

ftp

dns

msnms

ip

ssl

oicq

bootp

etc.

Exclude arp packages, such as !arp or not arp

4. Filter MAC

ethernet head filter

eth.dst == A0:00:00:04:C5:84 // filter target mac

eth.src eq A0:00:00:04:C5:84 // filter source mac

eth.dst==A0:00:00:04:C5:84

eth.dst==A0-00-00-04-C5-84

eth.addr eq A0:00:00:04:C5:84 // filter source MAC and destination MAC are equal to A0:00:00:04:C5:84

less than less than < lt

less than or equal to le

equal to eq

greater than gt

greater than or equal to ge

do not wait ne

5. Packet length filtering

example:

udp.length == 26 This length refers to the fixed length of udp itself 8 plus the sum of the data packets below udp

tcp.len >= 7 refers to the ip packet (the piece of data below tcp), excluding tcp itself

ip.len == 94 In addition to the fixed length of the Ethernet header 14, the others are considered ip.len, that is, from ip itself to the end

frame.len == 119 The length of the entire data packet, from eth to the end

eth —> ip or arp —> tcp or udp —> data

6. http mode filtering

example:

http.request.method == “GET”

http.request.method == “POST”

http.request.uri == “/img/logo-edu.gif”

http contains “GET”

http contains “HTTP/1.”

// GET package

http.request.method == “GET” && http contains “Host: “

http.request.method == “GET” && http contains “User-Agent: “

// POST package

http.request.method == “POST” && http contains “Host: “

http.request.method == “POST” && http contains “User-Agent: “

// response packet

http contains “HTTP/1.1 200 OK” && http contains “Content-Type: “

http contains “HTTP/1.0 200 OK” && http contains “Content-Type: “

must contain the following

Content-Type:

7.TCP parameter filtering

tcp.flags displays packets containing TCP flags.

tcp.flags.syn == 0x02 Display packets containing TCP SYN flag.

tcp.window_size == 0 && tcp.flags.reset != 1

8. Packet content filtering

---

tcp[20] means starting from 20, take 1 character

tcp[20:] means starting from 20, take more than 1 character

Note: The content in these two dotted lines failed the test on my wireshark (linux).

---

tcp[20:8] means starting from 20, take 8 characters

tcp[offset,n]

udp[8:3]81:60:03 // Offset 8 bytes, and then take 3 numbers, whether it is the same asAre the subsequent data equal?

udp[8:1]==32 If my guess is correct, it should be udp[offset: intercepted number]=nValue

eth.addr[0:3]==00:06:5B

example:

Determine whether the first three data packets under upd are equal to 0x20 0x21 0x22

We all know that udp has a fixed length of 8

udp[8:3]==20:21:22

Determine whether the first three packets of the tcp packet are equal to 0x20 0x21 0x22

In general, the length of tcp is 20, but sometimes it is not 20

tcp[8:3]==20:21:22

If you want to get the most accurate, you should know the tcp length first

matches (match) and contains (contains a string) syntax

ip.src==192.168.1.107 and udp[8:5] matches “\x02\x12\x21\x00\x22″ ------???--------

ip.src==192.168.1.107 and udp contains 02:12:21:00:22

ip.src==192.168.1.107 and tcp contains “GET”

udp contains 7c:7c:7d:7d matches the UDP packet containing 0x7c7c7d7d in the payload, not necessarily from the first byte.

--------------------------------------Do not understand Begin--------- -------------------------------------------------- -------------------------

example:

Get the local qq login data packet (the judgment condition is that the first packet==0x02, the fourth and fifth packets are equal to 0x00x22, and the last packet is equal to 0x03)

0x02 xx xx 0x00 0x22 … 0x03

How to spell filter condition? ? ?

udp[11:2]==00:00 means the command number is 00:00

udp[11:2]==00:80 means the command number is 00:80

When the command number is 00:80, the QQ number is 00:00:00:00

Get msn login success account (judgment condition is "USR 7 OK ", that is, the first three are equal to USR, and then pass two 0x20, you will get to OK, OK is followed by a character 0x20, followed by mail)

USR xx OK [email protected]

correct

msnms and tcp and ip.addr==192.168.1.107 and tcp[20:] matches “^USR\x20[\x30-\x39]+\x20OK\x20[\x00-\xff]+”

--------------------------------------Do not understand End---------- -------------------------------------------------- ---------------------------

9. dns mode filtering

10.DHCP

Note: The retrieval rule of the DHCP protocol is not dhcp/DHCP, but bootp

Taking finding fake DHCP servers as an example, introduce the usage of Wireshark. Add filtering rules to the display filter,

Display all information not from DHCP server and bootp.type==0x02 (Offer/Ack/NAK):

bootp.type0x02 and not ip.src192.168.1.1

11.msn

msnms && tcp[23:1] == 20 // The fourth is the msn data packet of 0x20

msnms && tcp[20:1] >= 41 && tcp[20:1] <= 5A && tcp[21:1] >= 41 && tcp[21:1] <= 5A && tcp[22:1] >= 41 && tcp [ 22 : 1 ] <= 5A

msnms && tcp[20:3]==”USR” // Find the packet whose command code is USR

msnms && tcp[20:3]==”MSG” // Find the packet whose command code is MSG

tcp.port == 1863 || tcp.port == 80

How to judge that the data packet is an MSN data packet containing command code?

1) The port is 1863 or 80, such as: tcp.port == 1863 || tcp.port == 80

2) The first three of the data section are capital letters, such as:

tcp[20:1] >= 41 && tcp[20:1] <= 5A && tcp[21:1] >= 41 && tcp[21:1] <= 5A && tcp[22:1] >= 41 && tcp [ 22 : 1 ] <= 5A

3) The fourth is 0x20, such as: tcp[23:1] == 20

4) msn belongs to the TCP protocol, such as tcp

MSN Messenger protocol analysis

http://blog.csdn.net/Hopping/archive/2008/11/13/3292257.aspx

MSN protocol analysis

http://blog.csdn.net/lzyzuixin/archive/2009/03/13/3986597.aspx

more detailed instructions

<<Wireshark filter expression example introduction>>

http://www.csna.cn/viewthread.php?tid=14614

Comparison between Chinese and English in the operation menu of the main interface of Wireshark

http://www.csna.cn/viewthread.php?tid=9645&extra=page=1

12. wireshark string filter grammar characters
    The following content is transferred from: http://www.csna.cn/viewthread.php?tid=14614

Regular expression-like rules.

1. The basic grammar characters of wireshark

\d digits from 0-9

\D The complement of \d (take all characters as the set, the same below), that is, all non-numeric characters

\w Word character, refers to uppercase and lowercase letters, numbers from 0-9, underscore

The complement of \W \w

\s Whitespace characters, including line feed \n, carriage return \r, tab \t, vertical tab \v, form feed \f

The complement of \S \s

. Any character except newline \n. In Perl, the "." mode that can match newline characters is called "single-line mode"

.* matches any text, excluding carriage returns (\n)?. However, [0x00-0xff]* matches any text, including \n

[…] matches all the characters listed in []

[^…] matches characters not listed in []

—————————————————————————————-

2. The positioning character represents a virtual character, which represents a position. You can also intuitively think that the "locating character" represents the tiny gap between certain characters.

^ indicates that the following character must be at the beginning of the string

$ means the character preceding it must be at the end of the string

\b matches a word boundary

\B matches a non-word boundary

—————————————————————————————-

3. Repeated description characters

{n} matches the preceding character n times

{n,} matches the preceding character n or more times

{n,m} matches the preceding character n to m times

? matches the preceding character 0 or 1 times

•      匹配前面的字符1次或多于1次
  

•      匹配前面的字符0次或式于0次
  

—————————————————————————————-

4. and or match

and symbol and

or symbol or

For example:

tcp and tcp.port==80

tcp or udp

—————————————————————————————-

5. Wireshark filter matching expression instance

5.1. Search and filter the udp data segment payload according to the condition (the number 8 means that the udp header has 8 bytes, and the data part starts from the 9th byte udp[8:])

udp[8]==14 (14 is hexadecimal 0x14) matches the UDP packet with the first byte of payload 0x14

udp[8:2]==14:05 can be udp[8:2]==1405, and only 2 consecutive bytes are supported, and more than three must be separated by a colon: to represent hexadecimal. (equivalent to udp[8]==14 and udp[9]==05, 1405 is 0x1405)

udp[8:3]==22:00:f7 but not udp[8:3]==2200f7

udp[8:4]==00:04:00:2a, matching the first 4 bytes of payload 0x0004002a

And udp contains 7c:7c:7d:7d matches the UDP packet containing 0x7c7c7d7d in the payload, not necessarily from the first byte.

udp[8:4] matches “\x14\x05\x07\x18″

udp[8:] matches “^\x14\x05\x07\x18\x14″

5.2. Search and filter the tcp data segment payload according to the condition (the number 20 means that the tcp header has 20 bytes, and the data part starts from the 21st byte tcp[20:])

tcp[20:] matches “^GET [ -~]*HTTP/1.1\x0d\x0a”

等同http matches “^GET [ -~]*HTTP/1.1\x0d\x0a”

tcp[20:] matches “^GET (.*?)HTTP/1.1\x0d\x0a”

tcp[20:] matches “^GET (.?)HTTP/1.1\x0d\x0a[\x00-\xff]Host: (.?)pplive(.?)\x0d\x0a”

tcp[20:] matches “^GET (.*?)HTTP/1.1\x0d\x0a[\x00-\xff]*Host: “

tcp[20:] matches “^POST / HTTP/1.1\x0d\x0a[\x00-\xff]*\x0d\x0aConnection: Keep-Alive\x0d\x0a\x0d\x0a”

Detect the smb tag of the SMB header, indicating that the smb tag starts to match from the 24th byte of the tcp header.

tcp[24:4] == ff:53:4d:42

Detect the smb tag of the SMB header, the tcp data contains hexadecimal ff:53:4d:42, start searching for this data from the tcp header.

tcp contains ff:53:4d:42

tcp matches “\xff\x53\x4d\x42″

Detect that tcp contains hexadecimal 01:bd, and search for this data from the tcp header.

tcp matches “\x01\xbd”

Detect the RPC request path of MS08067

tcp[179:13] == 00:5c:00:2e:00:2e:00:5c:00:2e:00:2e:00

              \      .     .     \     .     .

5.3 Others

http.request.uri matches ".gif $"MatchandfiltertheHTTPrequestURIthatcontainsthe".gif"stringandendswith.gif\left(4bytes\right)httprequest\_\_\_\_\_\_\_\_\_\_\_\_\_Packet(is$ the end indicator in the regular expression)

Note the difference: http.request.uri contains ".gif $"Differentfromthis,containscontainsthe\; string".gif$ " (5 bytes). Matches and filters HTTP request URIs that contain the string ".gif$"$$in$ the http$request$$"stringhttprequestpacket(hereisthe\; character,\; notthe\; endcharacter$ )

eth.addr[0:3]==00:1e:4f Search and filter packets whose MAC address is 0x001e4f in the first 3 bytes.
————————————————
Copyright statement: This article is an original article of CSDN blogger "kingkyrie", following the CC 4.0 BY-SA copyright agreement, please attach the original source link and this statement for reprinting .
Original link: https://blog.csdn.net/liuchaoxuan/article/details/81605257