wireshark学习总结（3）---结构化/复合型抓包过滤器

如果想掌握更多与结构化抓包过滤器有关的内容及示例，请访问以下链接：

（1）http://www.packetlevel.ch/html/txt/tcpdump.filters

（2）http://www.packetlevel.ch/html/tcpdumpf.html

请区别抓包过滤器和显示过滤器：

1）抓包过滤器配置于抓包前

==>wireshark只抓符合抓包过滤器规则的流量包

2）显示过滤器配置于抓包后

==>已经抓包完毕，只是显示自己心仪的数据包

而抓包过滤器包括以下几层抓包过滤器：

（1）第一层（网卡）过滤器、

（2）第二层（Ethernet，即MAC设备）过滤器、

（3）第三层（IP）过滤器

（4）第四层（TCP/UDP等）过滤器

而结构化抓包过滤器就是复合型抓包过滤器：

就是用多个抓包过滤器 通过 操作符(not、and、or或(!、&&、||))  “拼接”起来的过滤器。

后面会写几篇来详细描述这几层抓包过滤器。

下面给出链接（1）的内容，如下所示：

# A collection of tcpdump filters.# [[shells might require escaping of special characters]]# ==# This document: http://www.rdrs.net/document/ # Related: http://www.rdrs.net/snippets/src/pcap_example.c# Last update: Tue Dec 28, 2004# ==# If you have tips, suggestions or additional filters# that haven't been listed here, drop me a short note. # Address info can be found at http://www.rdrs.net/about.html## Thnkx..# ######### TCP# # filter sshtcp[(tcp[12]>>2):4] = 0x5353482D && (tcp[((tcp[12]>>2)+4):2] = 0x312E || \ tcp[((tcp[12]>>2)+4):2] = 0x322E)# filter "combine" rlogin(tcp[(ip[2:2]-((ip[0]&0x0f)<<2))-1]=0) && \ ((ip[2:2]-((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) && \ ((ip[2:2]-((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 128)# filter ftptcp[(tcp[12]>>2):4] = 0x3232302d || tcp[(tcp[12]>>2):4] = 0x32323020# URG set and ACK not settcp[13] & 0x30 = 0x20 # IMAP service exploit tcp && (tcp[13] & 2 != 0) && (dst port 143)# filter root backdoortcp[(tcp[12]>>2):2] = 0x2320 && \ (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) == 2# RST set and FIN settcp[13] & 0x05 = 5 # filter out napster((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 4 && \ tcp[(tcp[12]>>2):4] = 0x53454e44) || \ ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 3 && \ tcp[(tcp[12]>>2):2] = 0x4745 && tcp[(tcp[12]>>2)+2]=0x54)# telnet tcp[2:2] = 23# again telnet but beter...(tcp[(tcp[12]>>2):2] > 0xfffa) && (tcp[(tcp[12]>>2):2] < 0xffff)# attempted ftp connection to other hosts on the network than the ftp serverdst net 82.48.9.1/22 && dst port 21 \ && (tcp[13] & 0x3f = 2) && !(dst host ftp.bla.org)# attempts to include data on the initial SYN.tcp[13] & 0xff = 2 && \ (ip[2:2] - ((ip[0] & 0x0f) * 4) - ((tcp[12] & 0xf0) / 4)) != 0# active open (syn set without ack)(tcp[13] & 0x12 < 16)# winnuke DOS attack(tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1)# destination port less than 1024tcp[2:2] < 1024# SYN set and FIN settcp[13] & 0x03 = 3# one of the reserved bits of tcp[13] is settcp[13] & 0xc0 != 0 # DNS zone transfertcp && dst port 53 # active open connection, syn is set, ack is nottcp[13] & 0x12 = 2# X11 ports(tcp[2:2] >= 6000) && (tcp[2:2] < 7000)# TCP port 6667 with ACK flag set and payload starting at byte 12 # that does not include the asciiwords "PING", "PONG", "JOIN", or "QUIT".(tcp[13] & 0x10 = 1) && (tcp[0:2]=6667 || tcp[2:2]=6667) \ && (not ip[32:4] = 1346981447 || not ip[32:4] = 1347374663 \ || not ip[32:4] = 1246710094 || not ip[32:4] = 1364543828)# except ack push(tcp[13] & 0xe7) != 0# all packets with the PUSH flag settcp[13] & 8 != 0# all packets with the RST flag settcp[13] & 4 != 0# filter out gnutellatcp[(tcp[12]>>2):4] = 0x474e5554 && \ tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 && tcp[8+(tcp[12]>>2)] = 0x20# catch default hping 2 pingstcp [3] = 0 && tcp[13] = 0 # FIN set and ACK not settcp[13] & 0x11 = 1       # null scan filter with no flags settcp[13] = 0# could also be written astcp[13] & 0xff = 0# no flags set, null packettcp[13] & 0x3f = 0# syn-fyn tcp[13] = 3# syn-fyn both flags set(tcp[13] & 0x03) = 3# only syn..tcp[13] & 0x02) != 0# reserved bits settcp[14] >= 64# incomming http requests (tcp[13:1]&18 = 2) && (port 80) && (ip dst 192.168.1.40)# broadcasts x.x.x.255ip[19] = 0xff# broadcasts x.x.x.0ip[19] = 0x00# Incomming SYN packetstcp && (tcp[13] & 0x02 != 0) && \ (tcp[13] & 0x10 = 0) && (not dst port 53) && \ (not dst port 80) && (not dst port 25) && (not dst port 21)# SMBdst port 139 && tcp[13:1] & 18 = 2# ACK flag set, ack value is ZERO. Not normal for three-way handshake.# Possible capture of NMAP(1) os fingerprinting.tcp[13] & 0xff = 0x10 && tcp[8:4] = 0 # high-order reserved bits should be ZERO. NMAP(1) sometimes sets the # bit that is in the 64 position for os fingerprinting.tcp[13] >= 64# SYN set and RST settcp[13] & 0x06 = 6 # PSH set and ACK not settcp[13] & 0x18 = 8 # Some filters combined for a general [catch [[bad]] events filter](tcp && (tcp[13] & 3 != 0) && ((dst port 143) || \ (dst port 111) || (tcp[13] & 3 != 0 && tcp[13] & 0x10 = 0 && \ dst net 172.16 && dst port 1080) || \ (dst port 512 || dst port 513 || dst port 514) || \ ((ip[19] = 0xff) && not (net 172.16/16 || net 192.168/16)) || \ (ip[12:4] = ip[16:4]))) || (not tcp && igrp && not dst port 520 && \ ((dst port 111) || (udp port 2049) || ((ip[19] = 0xff) && \ not (net 172.16/16 || net 192.168/16)) || (ip[12:4] = ip[16:4])))# RIP info-s 1024 port routed# in/out going fragmentation attacktcp && ip[6:2]&16383 != 0######## IP# # all packets with more than 20 bytes of payload(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20# ping of death attack((ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) && \ ((65535 < (ip[2:2] + 8 * (ip[6:2] & 0x1fff))# more fragments bit is not set [but] the fragment offset is not zero((ip[6:1] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0))# any packet with a header more than 20 bytes.ip[0] & 0x0f  > 5# any packet with more fragments setip[6] & 0x20 !=0# packets with TTL's less than 5ip[8] < 5# source ip equal to destination ip [classic land attack]ip[12:4] = ip[16:4]# another, land attack(tcp[0:2] = tcp[2:2]) && (ip[12:4] = ip[16:4])# IP options(ip[0] & 0x0f) != 5# broadcasts to xxx.xxx.xxx.255 || xxx.xxx.xxx.0(ip[19]=0xff) || (ip[19]=0x00)# fragmented packet with zero offset ip[6:2] & 0x1fff = 0# and more fragments [terminal](ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)# and even more fragments [intervening](ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0)# my head was fragmented [initially](ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0)# fragmented packets with more comingip[6:1] & 0x20 != 0 # more fragments bit is not set, [but] the fragment offset is not zero(ip[6:1] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0))# unroutable addressesnot ((ip[12] < 3) || net 5 || net 10 || net 127 || net 172.16 \ || net 192.168 || (ip[12] > 239)) # IP optionsip[0:1] & 0x0f > 5# loose source routing, [(ip[0:1] & 0x0f > 5)]# ip[20] opts: #  7,0x44,0x83,0x89 #  record route,timestamp,loose source routing,strict source routing# loose source routingip[20:1] & 0xff = 131# other IP versions than ipv4ip && (ip[0] & 0xf0 != 0x40)######## ICMP## fragmentation needed but DF flag set(icmp[0] = 3) && (icmp[1] = 4)# fragmented ICMPicmp && (ip[6:1] & 0x20 != 0)# in/out going smurf attackicmp && (ip[19:1] = 255)# in/out going fragmentation attackicmp && ip[6:2] & 16383 != 0# Loki Filter((icmp[0] = 0) || (icmp[0] = 8)) && ((icmp[6:2] = 0xf001) || (icmp[6:2] = 0x01f0) # ICMP address mask requestsicmp[0] = 17# Frag required but DF set*((icmp[0] = 3) && (icmp[1] = 4)) # source route failed (icmp[0] = 3) && (icmp[1] = 5)# all ICMP except pingicmp && icmp[0] != 8 && icmp[0] != 0# source quench        : icmp[0] = 4  # redirect             : icmp[0] = 5  # router advertisement : icmp[0] = 9  # router solicitation  : icmp[0] = 10 # parameter problem    : icmp[0] = 12 # timestamp request    : icmp[0] = 13 # timestamp reply      : icmp[0] = 14 # information request  : icmp[0] = 15 # information reply    : icmp[0] = 16 # address mask request : icmp[0] = 17 # address mask reply   : icmp[0] = 18 ######## UDP## teardrop attackudp && (ip[6:1] & 0x20 != 0)# catch anything udp to port 500 udp -n -vv udp && dst port 500# catch udp packets with impossible udp lengths(udp[4:2] < 0) || (udp[4:2] > 1500)# back Orifice-n -vv udp && dst port 31337# UNIX traceroute destports between 33000 and 33999 (udp[2:2] >= 33000) && (udp[2:2] <= 33999)# or alternatively..udp[2:2] >= 33000 && udp[2:2] < 34000 && ip[8] = 1# UDP port scanudp && src port = dst port

（END）