Wireshark过滤器

Capture Filter（详见WiresharkUser Guide 4.10）

许多抓包规则可见：http://wiki.wireshark.org/CaptureFilters.

Capture only traffic to or from IP address172.18.5.4:

·   host 172.18.5.4

Capturetraffic to or from a range of IP addresses:

·   net 192.168.0.0/24

or

·   net 192.168.0.0 mask 255.255.255.0

Capturetraffic from a range of IP addresses:

·   src net 192.168.0.0/24

or

·   src net 192.168.0.0 mask 255.255.255.0

Capturetraffic to a range of IP addresses:

·   dst net 192.168.0.0/24

or

·   dst net 192.168.0.0 mask 255.255.255.0

Captureonly DNS (port 53) traffic:

·   port 53

Capturenon-HTTP and non-SMTP traffic on your server (both are equivalent):

·   host www.example.com and not (port 80 or port 25)

host www.example.com and not port 80 and not port 25

Captureexcept all ARP and DNS traffic:

·   port not 53 and not arp

Capturetraffic within a range of ports

·  (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

or,with newer versions of libpcap (0.9.1 and later):

·  tcp portrange 1501-1549

Captureonly Ethernet type EAPOL:

·   ether proto 0x888e

Rejectethernet frames towards the Link Layer Discovery Protocol Multicast group:

·   not ether dst 01:80:c2:00:00:0e

Captureonly IP traffic - the shortest filter, but sometimes very useful to get rid oflower layer protocols like ARP and STP:

·   ip

Captureonly unicast traffic - useful to get rid of noise on the network if you onlywant to see traffic to and from your machine, not, for example, broadcast andmulticast announcements:

·   not broadcast and not multicast

CaptureIPv6 "all nodes" (router and neighbor advertisement) traffic. Can beused to find rogue RAs:

·   dst host ff02::1

CaptureHTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0)>> 2" figures out the TCP header length. From Jefferson Ogata viathe tcpdump-workers mailinglist.

·   port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

Example 4.1. A capture filter for telnet thatcaptures traffic to and from a particular host

·   tcp port 23 and host 10.0.0.5

Example 4.2. Capturing all telnet traffic notfrom 10.0.0.5      

·   tcp port 23 and not src host 10.0.0.5

       

[tcp|udp] [src|dst] port <port>

[src|dst] host <host>

 

显示过滤器（详见Wireshark user guide 6.8）:

·        ip.src==192.168.0.1and tcp.flags.syn==1

snmp || dns || icmp

显示SNMP或DNS或ICMP封包。

·

ip.addr == 10.1.1.1

·        显示来源或目的IP地址为10.1.1.1的封包。

ip.src != 10.1.2.3 or ip.dst != 10.4.5.6

·        显示来源不为10.1.2.3或者目的不为10.4.5.6的封包。
换句话说，显示的封包将会为：
来源IP：除了10.1.2.3以外任意；目的IP：任意
以及
来源IP：任意；目的IP：除了10.4.5.6以外任意

ip.src != 10.1.2.3 and ip.dst !=  10.4.5.6

·        显示来源不为10.1.2.3并且目的IP不为10.4.5.6的封包。
换句话说，显示的封包将会为：
来源IP：除了10.1.2.3以外任意；同时须满足，目的IP：除了10.4.5.6以外任意

tcp.port == 25

显示来源或目的TCP端口号为25的封包。

·

tcp.dstport == 25

显示目的TCP端口号为25的封包。

·

tcp.flags

显示包含TCP标志的封包。

·

tcp.flags.syn == 0x02

显示包含TCP SYN标志的封包。

·        如果过滤器的语法是正确的，表达式的背景呈绿色。如果呈红色，说明表达式有误。

一、IP过滤：包括来源IP或者目标IP等于某个IP

比如：ip.srcaddr==192.168.0.208  or ip.src addr eq192.168.0.208 显示来源IP

        ip.dst addr==192.168.0.208  or ip.dst addr eq 192.168.0.208 显示目标IP

二、端口过滤：

比如：tcp.port eq 80 // 不管端口是来源的还是目标的都显示

        tcp.port == 80

        tcp.port eq 2722

        tcp.port eq 80 or udp.port eq 80

        tcp.dstport == 80 // 只显tcp协议的目标端口80

        tcp.srcport == 80 // 只显tcp协议的来源端口80

过滤端口范围

tcp.port >= 1 and tcp.port<= 80

三、协议过滤：tcp

udp

arp

icmp

http

smtp

ftp

dns

msnms

ip

ssl

等等

排除ssl包，如!ssl 或者  not ssl

四、包长度过滤：

比如：

udp.length == 26 这个长度是指udp本身固定长度8加上udp下面那块数据包之和

tcp.len >= 7  指的是ip数据包(tcp下面那块数据),不包括tcp本身

ip.len == 94 除了以太网头固定长度14,其它都算是ip.len,即从ip本身到最后

frame.len == 119 整个数据包长度,从eth开始到最后

五、http模式过滤：

例子:

http.request.method == “GET”

http.request.method == “POST”

http.request.uri ==“/img/logo-edu.gif”

http contains “GET”

http contains “HTTP/1.”

// GET包

http.request.method == “GET”&& http contains “Host: ”

http.request.method == “GET”&& http contains “User-Agent: ”

// POST包

http.request.method == “POST”&& http contains “Host: ”

http.request.method == “POST”&& http contains “User-Agent: ”

// 响应包

http contains “HTTP/1.1 200OK” && http contains “Content-Type: ”

http contains “HTTP/1.0 200OK” && http contains “Content-Type: ”

 

wireshark生成

(ip.addr eq 220.181.66.92 and ip.addr eq 192.168.1.21) and (tcp.port eq 80 and tcp.port eq 2213)

参考：

1.http://wiki.wireshark.org/CaptureFilters

2.WireShark用户手册

3.http://openmaniak.com/cn/wireshark_filters.php

4.http://zhidao.baidu.com/question/147588395.html