Wireshark capture filter设置
来源:互联网 发布:玛吉史密斯知乎 编辑:程序博客网 时间:2024/05/17 02:27
常见语法
过滤器支持的函数:
过滤器的语言还有下面几个函数:upper(string-field)-把字符串转换成大写lower(string-field)-把字符串转换成小写upper((和lower((在处理大小写敏感的字符串比较时很有用。例如:upper(ncp.nds_stream_name) contains "MACRO"lower(mount.dump.hostname) =="angel"
协议字段类型
每个协议的字段都有规定的类型。这些类型是:unsigned integer 无符号整数(8比特、16比特、24比特、32比特)signed integer 有符号整数(8比特、16比特、24比特、32比特)Boolean 布尔值Ethernet address 以太网地址(6字节)Byte array 字节数组IPv4 address IPv4地址IPv6 address IPv6地址IPX network number IPX网络地址Text string 文本串Double-precision floating point number 双精度浮点值
三种进制表示方法:
frame.pkt_len>10frame.pkt_len>012frame.pkt_len>0xa布尔值用1 0表示
以太网地址
eth.dst eq ff:ff:ff:ff:ff:ffaim.data == 0.1.0.dfddi.src == aa-aa-aa-aa-aa-aaecho.data == 7aipv4和主机名
ip.dst eq www.mit.edu ip.src == 192.168.1.1
示例:
获取from或to ip 111.111.111.111
host 172.18.5.4
获取from或to ip 段
net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0
from ip段
src net 192.168.0.0/24 or src net 192.168.0.0 mask 255.255.255.0
to ip地址段
dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0
指定port数据
port 53 //53是dns
port段
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)或
tcp portrange 1501-1549
指定协议:如:Ethernet type EAPOL,ip
ether proto 0x888eip
目标地址不是某个ethernet
not ether dst 01:80:c2:00:00:0e
除去广播数据
not broadcast and not multicast
显示http 80 get数据
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 GET 16进制是0x474554
位过滤
IP Filtersip[0] & 0x0flow nibble: header length in 4octet words. should be 5ip[1]type of service/QoS/DiffServip[2:2]total length of datagram in octetsip[4:2]IP ID numberip[6] & 0x80reserved bit (possibly used for ECN)ip[6] & 0x40DF bitip[6] & 0x20MF bitip[6:2] & 0x1ffffragment offset (number of 8octet blocks)ip[8]ttlip[9]protocolip[10:2]header checksumip[12:4]source IPip[16:4]destination IPSamples (ip[12:4] = ip[16:4])Src IP = Dest IP (land attack)ip[0] & 0xf0high nibble: IP version. almost always 4(ip[0] & 0xf0 != 0x40)IP versions !=4(ip[0:1] & 0x0f > 5)IP with options set(ip[19] = 0xff)Broadcasts to x.x.x.255(ip[19] = 0x00)Broadcasts to x.x.x.0(ip and ip[1] & 0xfc == 0xb8)search for EF in DSCP(ip and ip[1] & 0xfc == 0x28)search for AF11 in DSCP(ip and ip[1] & 0xfc != 0x00)search for DCSP Packets != 0(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0)initial fragments(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0)intervening fragments(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)terminal fragments(ip[0] & 0x0f) != 5has ip options (or is truncated, or is just some sort of freak...)ip[8] < 5short TTL valueip[6] = 32MF setiip[2:2] > 999IP Packet greater then 999ICMP Filtersicmp[0]typeicmp[1]codeicmp[2:2]checksumSamples icmp[0]=0x#all Packets with ICMP Typeicmp[0]=0x# and icmp[1]=0x#all Packets with ICMP Type X and Code = Yicmp[0]=8ICMP Request Messagesicmp[8]=0ICMP Request Replayicmp[0]=0x11ICMP Address Mask Requesticmp[0]=0x12ICMP Address Mask Replayicmp[0]=11 and icmp[1]=0ICMP Time Exeedeticmp[0]=3 and icmp[1]=4ICMP Time Exeedeticmp[0]=8 and ip[2:2] > 64Large ICMP PacketsTCP Filterstcp[0:2]source porttcp[2:2]destination porttcp[4:4]sequence numbertcp[8:4]ack numbertcp[12]header lengthtcp[13]tcp flags---- --S- 0000 0010 = 0x02 normal syn---A --S- 0001 0010 = 0x12 normal syn-ack---A ---- 0001 0000 = 0x10 normal ack--UA P--- 0011 1000 = 0x38 psh-urg-ack. interactive stuff like ssh---A -R-- 0001 0100 = 0x14 rst-ack. it happens.---- --SF 0000 0011 = 0x03 syn-fin scan--U- P--F 0010 1001 = 0x29 urg-psh-fin. nmap fingerprint packet-Y-- ---- 0100 0000 = 0x40 anything >= 0x40 has a reserved bit setXY-- ---- 1100 0000 = 0xC0 both reserved bits setXYUA PRSF 1111 1111 = 0xFF FULL_XMAS scantcp[14:2]window sizetcp[16:2]checksumttcp[18:2]urgent pointerSamples tcp[13] = 0x02is SYN. nothing else.(tcp[13] & 0x02) != 0contains SYN. we don't care what else...(tcp[13] & 0x03) = 3is some kind of SYN-FIN. realy Bad winnuke (not tested)tcp[20:4] = 0x47455420GET in request
UDP Filtersudp[0:2]source portudp[2:2]destination portudp[4:2]datagram lengthudp[6:2]UDP checksum
protocolsip[9] == 8EGPip[9] == 9IGPip[9] == 88EIRGPip[9] == 50ESPip[9] == 51AHip[9] == 89OSPFip[9] == 124ISIS other, see /etc/protocols
Routing Protocols(udp and port 520) or (host 224.0.0.9)RIP 1 + 2tcp and port 179BGPip[9] == 8EGPip[9] == 9IGPip[9] == 88EIRGPip[9] == 89OSPFip[9] == 124ISIS
ether Filtersether[20:2] == 0x2000CDP paketsether[12:2] == 0x0806ARP pakets
IPv6ip6filters native IPv6 traffic (including ICMPv6)icmp6filters native ICMPv6 trafficproto ipv6filters tunneled IPv6-in-IPv4 trafficTCP ip6 and (ip6[6] == 0x06)IPv6 TCPip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02)IPv6 TCP Synip6 and (ip6[6] == 0x06) and (ip6[53] == 0x10)IPv6 TCP ACKip6 and (ip6[6] == 0x06) and (ip6[53] == 0x12)IPv6 TCP Syn/ACKUDP ip6 and (ip6[6] == 0x11)IPv6 TCPICMP (ip6[6] == 0x3a)ICMP v6(ip6[6] == 0x3a) and (ip6[40] == 0x01)ipv6 and type 1 Dest Unreachable(ip6[6] == 0x3a) and (ip6[40] == 0x02)ipv6 and type 2 Packet too big(ip6[6] == 0x3a) and (ip6[40] == 0x03)ipv6 and type 3 Time Exeedet(ip6[6] == 0x3a) and (ip6[40] == 0x04)ipv6 and type 4 Parameter Problem(ip6[6] == 0x3a) and (ip6[40] == 0x80)ipv6 and type 128 Echo Request(ip6[6] == 0x3a) and (ip6[40] == 0x81)ipv6 and type 129 Echo Reply(ip6[6] == 0x3a) and (ip6[40] == 0x86)ipv6 and type 133 Router Solicitation(ip6[6] == 0x3a) and (ip6[40] == 0x87)ipv6 and type 134 Router Advertisement(ip6[6] == 0x3a) and (ip6[40] == 0x88)ipv6 and type 135 Neighbor Solicitation(ip6[6] == 0x3a) and (ip6[40] == 0x89)ipv6 and type 136 Neighbor Advertisement
MY Filterstcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast:
0 0
- Wireshark capture filter设置
- wireshark capture filter example
- a wireshark's capture filter
- 网络抓包工具Wireshark Capture Filter 技巧
- wireshark中filter属性设置
- wireshark中filter属性设置 .
- wireshark Loopback capture setup
- wireshark linux cooked capture
- Wireshark图解教程--介绍界面、两个菜单以及capture filter的语法
- Wireshark图解教程--介绍界面、两个菜单以及capture filter的语法
- Wireshark图解教程--介绍界面、两个菜单以及capture filter的语法
- wireshark filter
- wireshark filter
- Wireshark filter
- Wireshark设置interface 时提示“There are no interfaces on which a capture can be done ”
- Wireshark设置interface 时提示“There are no interfaces on which a capture can be done ”
- Wireshark filter quick reference
- wireshark filter manualpage
- 一种夜间模式简单实现方案
- 在Updatepanel中使用Response.Redirect
- spring websocket + stomp 实现广播通信和一对一通信
- jQuery Tips(5)----关于伪类选择符
- ASP.net生成各种随机数字,用于优惠券、验证码等
- Wireshark capture filter设置
- Ubuntu下显示git分支的状态
- 记录一个JQUERY模仿序列号输入
- 使用UpdatePanel时触发JS的方法
- 关于Extjs4.2的一些BUG
- html系列--浏览器加载和渲染html的顺序
- 解决AJAX提示SYS未定义一例
- linux hook
- 求两个升序序列的和中最小的k个数