Reprinted from https://blog.csdn.net/cumirror/article/details/7054496
First of all, please note that if you use localhost or 127.0.0.1 for testing, the traffic does not pass through the computer network card, so WireShark cannot capture packets. If you want to capture local packages, refer to How WireShark captures local localhost packages
Wireshark basic syntax, basic usage, and packet filtering rules:
1. Filter IP, such as source IP or destination IP is equal to a certain IP
example:
ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107
or
ip.addr eq 192.168.1.107 // both can display source IP and destination IP
An example of a screenshot of the wireshark graphics window running on Linux. The operations of other filtering rules are similar, and no screenshots will be taken.
ip.src eq 10.175.168.182
Screenshot example:
Tips: In the Filter edit box, if the syntax is wrong, the box will be red, and if it is correct, it will be green.
2. Filter port
example:
tcp.port eq 80 // Display whether the port is source or destination
tcp.port == 80
tcp.port eq 2722
tcp.port eq 80 or udp.port eq 80
tcp.dstport == 80 // Only display the target port 80 of the tcp protocol
tcp.srcport == 80 // Only display the source port 80 of the tcp protocol
udp.port eq 15000
filter port range
tcp.port >= 1 and tcp.port <= 80
3. Filter protocol
example:
tcp
udp
arp
icmp
http
smtp
ftp
dns
msnms
ip
ssl
oicq
bootp
etc.
Exclude arp packages, such as !arp or not arp
4. Filter MAC
ethernet head filter
eth.dst == A0:00:00:04:C5:84 // filter target mac
eth.src eq A0:00:00:04:C5:84 // filter source mac
eth.dst==A0:00:00:04:C5:84
eth.dst==A0-00-00-04-C5-84
eth.addr eq A0:00:00:04:C5:84 // filter source MAC and destination MAC are equal to A0:00:00:04:C5:84
less than less than < lt
less than or equal to le
equal to eq
greater than gt
greater than or equal to ge
do not wait ne
5. Packet length filtering
example:
udp.length == 26 This length refers to the fixed length of udp itself 8 plus the sum of the data packets below udp
tcp.len >= 7 refers to the ip packet (the piece of data below tcp), excluding tcp itself
ip.len == 94 In addition to the fixed length of the Ethernet header 14, the others are considered ip.len, that is, from ip itself to the end
frame.len == 119 The length of the entire data packet, from eth to the end
eth —> ip or arp —> tcp or udp —> data
6. http mode filtering
example:
http.request.method == “GET”
http.request.method == “POST”
http.request.uri == “/img/logo-edu.gif”
http contains “GET”
http contains “HTTP/1.”
// GET package
http.request.method == “GET” && http contains “Host: “
http.request.method == “GET” && http contains “User-Agent: “
// POST package
http.request.method == “POST” && http contains “Host: “
http.request.method == “POST” && http contains “User-Agent: “
// response packet
http contains “HTTP/1.1 200 OK” && http contains “Content-Type: “
http contains “HTTP/1.0 200 OK” && http contains “Content-Type: “
must contain the following
Content-Type:
7.TCP parameter filtering
tcp.flags displays packets containing TCP flags.
tcp.flags.syn == 0x02 Display packets containing TCP SYN flag.
tcp.window_size == 0 && tcp.flags.reset != 1
8. Packet content filtering
tcp[20] means starting from 20, take 1 character
tcp[20:] means starting from 20, take more than 1 character
Note: The content in these two dotted lines failed the test on my wireshark (linux).
tcp[20:8] means starting from 20, take 8 characters
tcp[offset,n]
udp[8:3]81:60:03 // Offset 8 bytes, and then take 3 numbers, whether it is the same asAre the subsequent data equal?
udp[8:1]==32 If my guess is correct, it should be udp[offset: intercepted number]=nValue
eth.addr[0:3]==00:06:5B
example:
Determine whether the first three data packets under upd are equal to 0x20 0x21 0x22
We all know that udp has a fixed length of 8
udp[8:3]==20:21:22
Determine whether the first three packets of the tcp packet are equal to 0x20 0x21 0x22
In general, the length of tcp is 20, but sometimes it is not 20
tcp[8:3]==20:21:22
If you want to get the most accurate, you should know the tcp length first
matches (match) and contains (contains a string) syntax
ip.src==192.168.1.107 and udp[8:5] matches “\x02\x12\x21\x00\x22″ ------???--------
ip.src==192.168.1.107 and udp contains 02:12:21:00:22
ip.src==192.168.1.107 and tcp contains “GET”
udp contains 7c:7c:7d:7d matches the UDP packet containing 0x7c7c7d7d in the payload, not necessarily from the first byte.
--------------------------------------Do not understand Begin--------- -------------------------------------------------- -------------------------
example:
Get the local qq login data packet (the judgment condition is that the first packet==0x02, the fourth and fifth packets are equal to 0x00x22, and the last packet is equal to 0x03)
0x02 xx xx 0x00 0x22 … 0x03
How to spell filter condition? ? ?
udp[11:2]==00:00 means the command number is 00:00
udp[11:2]==00:80 means the command number is 00:80
When the command number is 00:80, the QQ number is 00:00:00:00
Get msn login success account (judgment condition is "USR 7 OK ", that is, the first three are equal to USR, and then pass two 0x20, you will get to OK, OK is followed by a character 0x20, followed by mail)
USR xx OK [email protected]
correct
msnms and tcp and ip.addr==192.168.1.107 and tcp[20:] matches “^USR\x20[\x30-\x39]+\x20OK\x20[\x00-\xff]+”
--------------------------------------Do not understand End---------- -------------------------------------------------- ---------------------------
9. dns mode filtering
10.DHCP
Note: The retrieval rule of the DHCP protocol is not dhcp/DHCP, but bootp
Taking finding fake DHCP servers as an example, introduce the usage of Wireshark. Add filtering rules to the display filter,
Display all information not from DHCP server and bootp.type==0x02 (Offer/Ack/NAK):
bootp.type0x02 and not ip.src192.168.1.1
11.msn
msnms && tcp[23:1] == 20 // The fourth is the msn data packet of 0x20
msnms && tcp[20:1] >= 41 && tcp[20:1] <= 5A && tcp[21:1] >= 41 && tcp[21:1] <= 5A && tcp[22:1] >= 41 && tcp [ 22 : 1 ] <= 5A
msnms && tcp[20:3]==”USR” // Find the packet whose command code is USR
msnms && tcp[20:3]==”MSG” // Find the packet whose command code is MSG
tcp.port == 1863 || tcp.port == 80
How to judge that the data packet is an MSN data packet containing command code?
1) The port is 1863 or 80, such as: tcp.port == 1863 || tcp.port == 80
2) The first three of the data section are capital letters, such as:
tcp[20:1] >= 41 && tcp[20:1] <= 5A && tcp[21:1] >= 41 && tcp[21:1] <= 5A && tcp[22:1] >= 41 && tcp [ 22 : 1 ] <= 5A
3) The fourth is 0x20, such as: tcp[23:1] == 20
4) msn belongs to the TCP protocol, such as tcp
MSN Messenger protocol analysis
http://blog.csdn.net/Hopping/archive/2008/11/13/3292257.aspx
MSN protocol analysis
http://blog.csdn.net/lzyzuixin/archive/2009/03/13/3986597.aspx
more detailed instructions
<<Wireshark filter expression example introduction>>
http://www.csna.cn/viewthread.php?tid=14614
Comparison between Chinese and English in the operation menu of the main interface of Wireshark
http://www.csna.cn/viewthread.php?tid=9645&extra=page=1
- wireshark string filter grammar characters
The following content is transferred from: http://www.csna.cn/viewthread.php?tid=14614
Regular expression-like rules.
1. The basic grammar characters of wireshark
\d digits from 0-9
\D The complement of \d (take all characters as the set, the same below), that is, all non-numeric characters
\w Word character, refers to uppercase and lowercase letters, numbers from 0-9, underscore
The complement of \W \w
\s Whitespace characters, including line feed \n, carriage return \r, tab \t, vertical tab \v, form feed \f
The complement of \S \s
. Any character except newline \n. In Perl, the "." mode that can match newline characters is called "single-line mode"
.* matches any text, excluding carriage returns (\n)?. However, [0x00-0xff]* matches any text, including \n
[…] matches all the characters listed in []
[^…] matches characters not listed in []
—————————————————————————————-
2. The positioning character represents a virtual character, which represents a position. You can also intuitively think that the "locating character" represents the tiny gap between certain characters.
^ indicates that the following character must be at the beginning of the string
$ means the character preceding it must be at the end of the string
\b matches a word boundary
\B matches a non-word boundary
—————————————————————————————-
3. Repeated description characters
{n} matches the preceding character n times
{n,} matches the preceding character n or more times
{n,m} matches the preceding character n to m times
? matches the preceding character 0 or 1 times
-
匹配前面的字符1次或多于1次
-
匹配前面的字符0次或式于0次
—————————————————————————————-
4. and or match
and symbol and
or symbol or
For example:
tcp and tcp.port==80
tcp or udp
—————————————————————————————-
5. Wireshark filter matching expression instance
5.1. Search and filter the udp data segment payload according to the condition (the number 8 means that the udp header has 8 bytes, and the data part starts from the 9th byte udp[8:])
udp[8]==14 (14 is hexadecimal 0x14) matches the UDP packet with the first byte of payload 0x14
udp[8:2]==14:05 can be udp[8:2]==1405, and only 2 consecutive bytes are supported, and more than three must be separated by a colon: to represent hexadecimal. (equivalent to udp[8]==14 and udp[9]==05, 1405 is 0x1405)
udp[8:3]==22:00:f7 but not udp[8:3]==2200f7
udp[8:4]==00:04:00:2a, matching the first 4 bytes of payload 0x0004002a
And udp contains 7c:7c:7d:7d matches the UDP packet containing 0x7c7c7d7d in the payload, not necessarily from the first byte.
udp[8:4] matches “\x14\x05\x07\x18″
udp[8:] matches “^\x14\x05\x07\x18\x14″
5.2. Search and filter the tcp data segment payload according to the condition (the number 20 means that the tcp header has 20 bytes, and the data part starts from the 21st byte tcp[20:])
tcp[20:] matches “^GET [ -~]*HTTP/1.1\x0d\x0a”
等同http matches “^GET [ -~]*HTTP/1.1\x0d\x0a”
tcp[20:] matches “^GET (.*?)HTTP/1.1\x0d\x0a”
tcp[20:] matches “^GET (.?)HTTP/1.1\x0d\x0a[\x00-\xff]Host: (.?)pplive(.?)\x0d\x0a”
tcp[20:] matches “^GET (.*?)HTTP/1.1\x0d\x0a[\x00-\xff]*Host: “
tcp[20:] matches “^POST / HTTP/1.1\x0d\x0a[\x00-\xff]*\x0d\x0aConnection: Keep-Alive\x0d\x0a\x0d\x0a”
Detect the smb tag of the SMB header, indicating that the smb tag starts to match from the 24th byte of the tcp header.
tcp[24:4] == ff:53:4d:42
Detect the smb tag of the SMB header, the tcp data contains hexadecimal ff:53:4d:42, start searching for this data from the tcp header.
tcp contains ff:53:4d:42
tcp matches “\xff\x53\x4d\x42″
Detect that tcp contains hexadecimal 01:bd, and search for this data from the tcp header.
tcp matches “\x01\xbd”
Detect the RPC request path of MS08067
tcp[179:13] == 00:5c:00:2e:00:2e:00:5c:00:2e:00:2e:00
\ . . \ . .
5.3 Others
http.request.uri matches ".gif " matches and filters HTTP request URIs that contain ". gif" strings and ends with .gif (4 bytes) http request packets (" matches and filters HTTP request URIs An http request packet containing the ".gif" string and ending with .gif (4 bytes) (" Match and filter the HTTP request URI that contains the " .g if " string and ends with .g if ( 4 bytes ) http request _ _ _ _ _ _ _ _ _ _ _ _ _ Packet ( is the end indicator in the regular expression)
Note the difference: http.request.uri contains ".gif " is different from this, contains contains the string ".gif" is different from this, contains contains the string ".gif" Different from this , c o n t a i n s contains the string " .g if " (5 bytes). Matches and filters HTTP request URIs that contain the string ".gif " in the http request data packet (here) http request data packet of string (here" string http request packet ( here is the character , not the end character )
eth.addr[0:3]==00:1e:4f Search and filter packets whose MAC address is 0x001e4f in the first 3 bytes.
————————————————
Copyright statement: This article is an original article of CSDN blogger "kingkyrie", following the CC 4.0 BY-SA copyright agreement, please attach the original source link and this statement for reprinting .
Original link: https://blog.csdn.net/liuchaoxuan/article/details/81605257