[Exclusive] Wireshark usage and filtering rules
- Spoto
- |
- Posted on: 2019-05-14
- |
- Views: 2563
[Exclusive] Wireshark usage and filtering rules
exclusive! today I will share Wireshark usage and filtering rules with you.
1 filter IP
example:
Ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107
Or ip.addr eq 192.168.1.107 // can display source IP and destination IP
Ip.src eq 10.175.168.182
Tip: In the Filter edit box, when the filter rules are included, if the syntax is incorrect, the box will be red, if it is correct, it will be green.
2 filter port
example:
Tcp.port eq 80 // Shows whether the port is source or target
Tcp.port == 80
Tcp.port eq 2722
Tcp.port eq 80 or udp.port eq 80
Tcp.dstport == 80// Only the target port 80 of the tcp protocol is displayed.
Tcp.srcport == 80 // Only the source port of the tcp protocol is displayed.
Udp.port eq 15000
Filter port range
Tcp.port >= 1 and tcp.port <= 80
3 filter protocol
Examples: tcp, udp, arp, icmp, http, smtp, ftp, dns, msnms, ip, ssl, oicq, bootp, etc.
4 filter MAC
Filtered by net head
Eth.dst == A0:00:00:04:C5:84 // Filter the target mac
Eth.src eq A0:00:00:04:C5:84 // Filter to mac
Eth.dst==A0:00:00:04:C5:84
Eth.dst==A0-00-00-04-C5-84
Eth.addr eq A0:00:00:04:C5:84 // Filter source MAC and destination MAC are equal to A0:00:00:04:C5:84
Less than less than < lt
Less than or equal to le
Equal to eq
Greater than gt
Greater than or equal to ge
Not waiting for ne
5 pack length filter
example:
Udp.length == 26 This length refers to the fixed length of udp itself plus the sum of the packets below udp
Tcp.len >= 7 refers to the ip packet (the data below tcp), excluding tcp itself
Ip.len == 94 In addition to the fixed length of the Ethernet header 14, the other is ip.len, from ip itself to the last
Frame.len == 119 the entire packet length, starting from eth to the end
Eth —> ip or arp —> tcp or udp —> data
6 http mode filtering
example:
Http.request.method == "GET"
Http.request.method == "POST"
Http.request.uri == "/img/logo-edu.gif"
Http contains "GET"
Http contains "HTTP/1."
// GET package
Http.request.method == "GET" && http contains "Host: "
Http.request.method == "GET" && http contains "User-Agent: "
// POST package
Http.request.method == "POST" && http contains "Host:"
Http.request.method == "POST" && http contains "User-Agent: "
// response package
Http contains "HTTP/1.1 200 OK" && http contains "Content-Type: "
Http contains "HTTP/1.0 200 OK" && http contains "Content-Type: "
Must contain the following
Content-Type:
7 TCP parameter filtering
Tcp.flags displays the packet containing the TCP flag.
Tcp.flags.syn == 0x02 Displays the packet containing the TCP SYN flag.
Tcp.window_size == 0 && tcp.flags.reset != 1
8 packs of content filtering
----------------------------------------------
Tcp[20] means starting from 20, taking 1 character
Tcp[20:] means starting from 20, taking more than 1 character
----------------------------------------------
Tcp[20:8] means starting from 20, taking 8 characters
Tcp[offset,n]
Udp[8:3]==81:60:03 // Offset 8 bytes, then take 3 numbers, is it equal to the data after ==?
Udp[8:1]==32 If I guess there is nothing wrong, it should be udp[offset: intercept the number]=nValue
Eth.addr[0:3]==00:06:5B
example:
Determine whether the first three of the packets below upd are equal to 0x20 0x21 0x22
We all know that udp has a fixed length of 8
Udp[8:3]==20:21:22
Determine whether the first three packets of tcp are equal to 0x20 0x21 0x22
In general, tcp is 20 in length, but there are times when it is not 20.
Tcp[8:3]==20:21:22
If you want to get the most accurate, you should know the length of tcp first.
Matches and contains syntax
Ip.src==192.168.1.107 and udp[8:5] matches "\\x02\\x12\\x21\\x00\\x22" ip.src==192.168.1.107 and udp contains 02:12:21: 00:22
Ip.src==192.168.1.107 and tcp contains "GET"
Udp contains 7c:7c:7d:7d matches UDP packets with 0x7c7c7d7d in the payload, not necessarily matching from the first byte.
9 DHCP
Note: The retrieval rule of the DHCP protocol is not dhcp/DHCP, but bootp
Take the example of forging a DHCP server and introduce the usage of Wireshark. Add a filter rule to the display filter to display all information that is not from the DHCP server and bootp.type==0x02(Offer/Ack/NAK):
Bootp.type==0x02 and not ip.src==192.168.1.1
Visit SPOTO Service Support, get quick and easy feedback on issues related to Cisco services, and communicate with Cisco service support experts.
More you may be interested:
Information about CISCO CERTIFICATION EXAM latest dumps this week
Huawei device configuration QOS to limit the intranet IP address