Wireshark capture filter设置

常见语法

过滤器支持的函数：

过滤器的语言还有下面几个函数：upper(string－field)－把字符串转换成大写lower(string－field)－把字符串转换成小写upper((和lower((在处理大小写敏感的字符串比较时很有用。例如：upper(ncp.nds_stream_name) contains "MACRO"lower(mount.dump.hostname) =="angel"

协议字段类型

每个协议的字段都有规定的类型。这些类型是：unsigned integer               无符号整数（8比特、16比特、24比特、32比特）signed integer                   有符号整数（8比特、16比特、24比特、32比特）Boolean                             布尔值Ethernet address               以太网地址（6字节）Byte array                          字节数组IPv4 address                      IPv4地址IPv6 address                      IPv6地址IPX network number           IPX网络地址Text string                          文本串Double-precision floating point number          双精度浮点值

三种进制表示方法：

frame.pkt_len>10frame.pkt_len>012frame.pkt_len>0xa

布尔值用1 0表示

以太网地址

eth.dst        eq        ff:ff:ff:ff:ff:ffaim.data == 0.1.0.dfddi.src == aa-aa-aa-aa-aa-aaecho.data == 7a

ipv4和主机名

 ip.dst eq www.mit.edu  ip.src == 192.168.1.1

示例：

获取from或to ip 111.111.111.111

host 172.18.5.4

获取from或to ip 段

net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0

from ip段

src net 192.168.0.0/24  or src net 192.168.0.0 mask 255.255.255.0

to ip地址段

dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0

指定port数据

port 53    //53是dns

port段

(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

或

tcp portrange 1501-1549

指定协议：如：Ethernet type EAPOL，ip

ether proto 0x888eip

目标地址不是某个ethernet

not ether dst 01:80:c2:00:00:0e

除去广播数据

not broadcast and not multicast

显示http 80 get数据

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420   GET 16进制是0x474554

位过滤

IP Filtersip[0] & 0x0flow nibble: header length in 4octet words. should be 5ip[1]type of service/QoS/DiffServip[2:2]total length of datagram in octetsip[4:2]IP ID numberip[6] & 0x80reserved bit (possibly used for ECN)ip[6] & 0x40DF bitip[6] & 0x20MF bitip[6:2] & 0x1ffffragment offset (number of 8octet blocks)ip[8]ttlip[9]protocolip[10:2]header checksumip[12:4]source IPip[16:4]destination IPSamples (ip[12:4] = ip[16:4])Src IP = Dest IP (land attack)ip[0] & 0xf0high nibble: IP version. almost always 4(ip[0] & 0xf0 != 0x40)IP versions !=4(ip[0:1] & 0x0f > 5)IP with options set(ip[19] = 0xff)Broadcasts to x.x.x.255(ip[19] = 0x00)Broadcasts to x.x.x.0(ip and ip[1] & 0xfc == 0xb8)search for EF in DSCP(ip and ip[1] & 0xfc == 0x28)search for AF11 in DSCP(ip and ip[1] & 0xfc != 0x00)search for DCSP Packets != 0(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0)initial fragments(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0)intervening fragments(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)terminal fragments(ip[0] & 0x0f) != 5has ip options (or is truncated, or is just some sort of freak...)ip[8] < 5short TTL valueip[6] = 32MF setiip[2:2] > 999IP Packet greater then 999ICMP Filtersicmp[0]typeicmp[1]codeicmp[2:2]checksumSamples icmp[0]=0x#all Packets with ICMP Typeicmp[0]=0x# and icmp[1]=0x#all Packets with ICMP Type X and Code = Yicmp[0]=8ICMP Request Messagesicmp[8]=0ICMP Request Replayicmp[0]=0x11ICMP Address Mask Requesticmp[0]=0x12ICMP Address Mask Replayicmp[0]=11 and icmp[1]=0ICMP Time Exeedeticmp[0]=3 and icmp[1]=4ICMP Time Exeedeticmp[0]=8 and ip[2:2] > 64Large ICMP PacketsTCP Filterstcp[0:2]source porttcp[2:2]destination porttcp[4:4]sequence numbertcp[8:4]ack numbertcp[12]header lengthtcp[13]tcp flags 
---- --S-       0000 0010 = 0x02   normal syn
 
---A --S-       0001 0010 = 0x12   normal syn-ack
 
---A ----       0001 0000 = 0x10   normal ack
 
--UA P---       0011 1000 = 0x38   psh-urg-ack. interactive stuff like ssh
 
---A -R--       0001 0100 = 0x14   rst-ack. it happens.
 
---- --SF       0000 0011 = 0x03   syn-fin scan
 
--U- P--F       0010 1001 = 0x29   urg-psh-fin. nmap fingerprint packet
 
-Y-- ----       0100 0000 = 0x40   anything >= 0x40 has a reserved bit set
 
XY-- ----       1100 0000 = 0xC0   both reserved bits set
 
XYUA PRSF       1111 1111 = 0xFF   FULL_XMAS scan
tcp[14:2]window sizetcp[16:2]checksumttcp[18:2]urgent pointerSamples tcp[13] = 0x02is SYN. nothing else.(tcp[13] & 0x02) != 0contains SYN. we don't care what else...(tcp[13] & 0x03) = 3is some kind of SYN-FIN. realy Bad winnuke (not tested)tcp[20:4] = 0x47455420GET in request
UDP Filtersudp[0:2]source portudp[2:2]destination portudp[4:2]datagram lengthudp[6:2]UDP checksum
protocolsip[9] == 8EGPip[9] == 9IGPip[9] == 88EIRGPip[9] == 50ESPip[9] == 51AHip[9] == 89OSPFip[9] == 124ISIS other, see /etc/protocols
Routing Protocols(udp and port 520) or (host 224.0.0.9)RIP 1 + 2tcp and port 179BGPip[9] == 8EGPip[9] == 9IGPip[9] == 88EIRGPip[9] == 89OSPFip[9] == 124ISIS
ether Filtersether[20:2] == 0x2000CDP paketsether[12:2] == 0x0806ARP pakets
IPv6ip6filters native IPv6 traffic (including ICMPv6)icmp6filters native ICMPv6 trafficproto ipv6filters tunneled IPv6-in-IPv4 trafficTCP ip6 and (ip6[6] == 0x06)IPv6 TCPip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02)IPv6 TCP Synip6 and (ip6[6] == 0x06) and (ip6[53] == 0x10)IPv6 TCP ACKip6 and (ip6[6] == 0x06) and (ip6[53] == 0x12)IPv6 TCP Syn/ACKUDP ip6 and (ip6[6] == 0x11)IPv6 TCPICMP (ip6[6] == 0x3a)ICMP v6(ip6[6] == 0x3a) and (ip6[40] == 0x01)ipv6 and type 1 Dest Unreachable(ip6[6] == 0x3a) and (ip6[40] == 0x02)ipv6 and type 2 Packet too big(ip6[6] == 0x3a) and (ip6[40] == 0x03)ipv6 and type 3 Time Exeedet(ip6[6] == 0x3a) and (ip6[40] == 0x04)ipv6 and type 4 Parameter Problem(ip6[6] == 0x3a) and (ip6[40] == 0x80)ipv6 and type 128 Echo Request(ip6[6] == 0x3a) and (ip6[40] == 0x81)ipv6 and type 129 Echo Reply(ip6[6] == 0x3a) and (ip6[40] == 0x86)ipv6 and type 133 Router Solicitation(ip6[6] == 0x3a) and (ip6[40] == 0x87)ipv6 and type 134 Router Advertisement(ip6[6] == 0x3a) and (ip6[40] == 0x88)ipv6 and type 135 Neighbor Solicitation(ip6[6] == 0x3a) and (ip6[40] == 0x89)ipv6 and type 136 Neighbor Advertisement
MY Filterstcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast: