Wireshark used (capture, filter)

1. Wireshark is the world's most popular network analysis tools. This powerful tool can capture data network, and provide a variety of information about the network and upper layer protocols for the user. Like many other web tools, Wireshark can also use the pcap network library to capture packets. Can crack the code within the local area network QQ, email, msn, account number, etc.! ! wireshark is formerly known as Ethereal, is a new name in 2006 hired. Ethereal was the main developer decided to leave the company he had worked, and continue to develop the software. However, due to Ethereal right to use this name has been registered that the original company, Wireshark The new name also came into being. After a successful run Wireshark, we can enter the next step, a better understanding of this powerful tool. The following is a screenshot of a computer 192.168.1.2 address is being accessed "openmaniak.com" website.

   

2. 2

   1. MENUS (menu)

   

3. 3

   2. SHORTCUTS (shortcut)

   

4. 4

   3. DISPLAY FILTER (display filter)

   

5. 5

   4. PACKET LIST PANE (Packet List)

   

6. 6

   5. PACKET DETAILS PANE (packet details)

   

7. 7

   6. DISSECTOR PANE (16 hexadecimal data)

   

8. 7. MISCELLANOUS (Miscellaneous)

   

   

9. 1. Capture Filter

   Capture filter syntax and other uses Lipcap (Linux) or Winpcap (Windows) software library developed by the same, such as the famous TCPdump. Capture filter must be set up before starting the capture, display it with different filters. To set the capture filter is to: - select capture -> options. - Fill out the "capture filter" field or click on the "capture filter" button a name for your filter and stored, in order to continue to use this filter to capture in the future. - Click Start (Start) capture.

   

   

10. grammar:

    ProtocolDirectionHost(s)ValueLogical OperationsOther expression

    例子：tcpdst10.1.1.180andtcp dst 10.2.2.2 3128

    Protocol（协议）:可能的值: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.如果没有特别指明是什么协议，则默认使用所有支持的协议。Direction（方向）:可能的值: src, dst, src and dst, src or dst如果没有特别指明来源或目的地，则默认使用 "src or dst" 作为关键字。例如，"host 10.2.2.2"与"src or dst host 10.2.2.2"是一样的。Host(s):可能的值： net, port, host, portrange.如果没有指定此值，则默认使用"host"关键字。例如，"src 10.1.1.1"与"src host 10.1.1.1"相同。 Logical Operations（逻辑运算）:可能的值：not, and, or.否("not")具有最高的优先级。或("or")和与("and")具有相同的优先级，运算时从左至右进行。例如，"not tcp port 3128 and tcp port 23"与"(not tcp port 3128) and tcp port 23"相同。"not tcp port 3128 and tcp port 23"与"not (tcp port 3128 and tcp port 23)"不同。

    

11. 例子：

    tcp dst port 3128

    显示目的TCP端口为3128的封包。

    ip src host 10.1.1.1

    显示来源IP地址为10.1.1.1的封包。

    host 10.1.2.3

    显示目的或来源IP地址为10.1.2.3的封包。

    src portrange 2000-2500

    显示来源为UDP或TCP，并且端口号在2000至2500范围内的封包。

    not imcp

    显示除了icmp以外的所有封包。（icmp通常被ping工具使用）

    src host 10.7.2.12 and not dst net 10.200.0.0/16

    显示来源IP地址为10.7.2.12，但目的地不是10.200.0.0/16的封包。

    (src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8

    显示来源IP为10.4.1.12或者来源网络为10.6.0.0/16，目的地TCP端口号在200至10000之间，并且目的位于网络10.0.0.0/8内的所有封包。

    

12. 注意事项：当使用关键字作为值时，需使用反斜杠“\”。"ether proto \ip" (与关键字"ip"相同).这样写将会以IP协议作为目标。"ip proto \icmp" (与关键字"icmp"相同).这样写将会以ping工具常用的icmp作为目标。可以在"ip"或"ether"后面使用"multicast"及"broadcast"关键字。当您想排除广播请求时，"no broadcast"就会非常有用。查看 TCPdump的主页以获得更详细的捕捉过滤器语法说明。在Wiki Wireshark website上可以找到更多捕捉过滤器的例子。

    

13. 2. The display filter: After the captured data is usually filtered through a filter is very complex. At this point you can use filters to display more detailed look. It's more powerful than the capture filter, and when you want to change the filter conditions, does not need to re-capture time.

    语法：Protocol.String 1.String 2ComparisonoperatorValueLogicalOperationsOtherexpression

    Examples: ftppassiveip == 10.2.3.4xoricmp.type

    Protocol (Protocol): You can use a lot located on the OSI model protocol layer 2 to 7. Click "Expression ..." button, you can see them. For example: IP, TCP, DNS, SSH

    

    

14. You can also find supported protocol in the position shown below:

    

15. Wireshark website provides a description of the various agreements and their subclasses. String1, String2 (Optional): subclass agreement. Click the "+" sign next to the relevant parent category, and then select its subclasses.

    

16. Comparison operators (comparison operator):

    

17. example

    Read the steps

    END