Capture Filter(详见WiresharkUser Guide 4.10)
许多抓包规则可见:http://wiki.wireshark.org/CaptureFilters.
Capture only traffic to or from IP address172.18.5.4:
· host 172.18.5.4
Capturetraffic to or from a range of IP addresses:
· net 192.168.0.0/24
or
· net 192.168.0.0 mask 255.255.255.0
Capturetraffic from a range of IP addresses:
· src net 192.168.0.0/24
or
· src net 192.168.0.0 mask 255.255.255.0
Capturetraffic to a range of IP addresses:
· dst net 192.168.0.0/24
or
· dst net 192.168.0.0 mask 255.255.255.0
Captureonly DNS (port 53) traffic:
· port 53
Capturenon-HTTP and non-SMTP traffic on your server (both are equivalent):
· host www.example.com and not (port 80 or port 25)
host www.example.com and not port 80 and not port 25
Captureexcept all ARP and DNS traffic:
· port not 53 and not arp
Capturetraffic within a range of ports
· (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
or,with newer versions of libpcap (0.9.1 and later):
· tcp portrange 1501-1549
Captureonly Ethernet type EAPOL:
· ether proto 0x888e
Rejectethernet frames towards the Link Layer Discovery Protocol Multicast group:
· not ether dst 01:80:c2:00:00:0e
Captureonly IP traffic - the shortest filter, but sometimes very useful to get rid oflower layer protocols like ARP and STP:
· ip
Captureonly unicast traffic - useful to get rid of noise on the network if you onlywant to see traffic to and from your machine, not, for example, broadcast andmulticast announcements:
· not broadcast and not multicast
CaptureIPv6 "all nodes" (router and neighbor advertisement) traffic. Can beused to find rogue RAs:
· dst host ff02::1
CaptureHTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0)>> 2" figures out the TCP header length. From Jefferson Ogata viathe tcpdump-workers mailinglist.
· port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
Example 4.1. A capture filter for telnet thatcaptures traffic to and from a particular host
· tcp port 23 and host 10.0.0.5
Example 4.2. Capturing all telnet traffic notfrom 10.0.0.5
· tcp port 23 and not src host 10.0.0.5
[tcp|udp] [src|dst] port <port>
[src|dst] host <host>
显示过滤器(详见Wireshark user guide 6.8):
· ip.src==192.168.0.1and tcp.flags.syn==1
snmp || dns || icmp | 显示SNMP或DNS或ICMP封包。 |
·
ip.addr == 10.1.1.1 |
· 显示来源或目的IP地址为10.1.1.1的封包。
ip.src != 10.1.2.3 or ip.dst != 10.4.5.6 |
· 显示来源不为10.1.2.3或者目的不为10.4.5.6的封包。
换句话说,显示的封包将会为:
来源IP:除了10.1.2.3以外任意;目的IP:任意
以及
来源IP:任意;目的IP:除了10.4.5.6以外任意
ip.src != 10.1.2.3 and ip.dst != 10.4.5.6 |
· 显示来源不为10.1.2.3并且目的IP不为10.4.5.6的封包。
换句话说,显示的封包将会为:
来源IP:除了10.1.2.3以外任意;同时须满足,目的IP:除了10.4.5.6以外任意
tcp.port == 25 | 显示来源或目的TCP端口号为25的封包。 |
·
tcp.dstport == 25 | 显示目的TCP端口号为25的封包。 |
·
tcp.flags | 显示包含TCP标志的封包。 |
·
tcp.flags.syn == 0x02 | 显示包含TCP SYN标志的封包。 |
· 如果过滤器的语法是正确的,表达式的背景呈绿色。如果呈红色,说明表达式有误。
一、IP过滤:包括来源IP或者目标IP等于某个IP
比如:ip.srcaddr==192.168.0.208 or ip.src addr eq192.168.0.208 显示来源IP
ip.dst addr==192.168.0.208 or ip.dst addr eq 192.168.0.208 显示目标IP
二、端口过滤:
比如:tcp.port eq 80 // 不管端口是来源的还是目标的都显示
tcp.port == 80
tcp.port eq 2722
tcp.port eq 80 or udp.port eq 80
tcp.dstport == 80 // 只显tcp协议的目标端口80
tcp.srcport == 80 // 只显tcp协议的来源端口80
过滤端口范围
tcp.port >= 1 and tcp.port<= 80
三、协议过滤:tcp
udp
arp
icmp
http
smtp
ftp
dns
msnms
ip
ssl
等等
排除ssl包,如!ssl 或者 not ssl
四、包长度过滤:
比如:
udp.length == 26 这个长度是指udp本身固定长度8加上udp下面那块数据包之和
tcp.len >= 7 指的是ip数据包(tcp下面那块数据),不包括tcp本身
ip.len == 94 除了以太网头固定长度14,其它都算是ip.len,即从ip本身到最后
frame.len == 119 整个数据包长度,从eth开始到最后
五、http模式过滤:
例子:
http.request.method == “GET”
http.request.method == “POST”
http.request.uri ==“/img/logo-edu.gif”
http contains “GET”
http contains “HTTP/1.”
// GET包
http.request.method == “GET”&& http contains “Host: ”
http.request.method == “GET”&& http contains “User-Agent: ”
// POST包
http.request.method == “POST”&& http contains “Host: ”
http.request.method == “POST”&& http contains “User-Agent: ”
// 响应包
http contains “HTTP/1.1 200OK” && http contains “Content-Type: ”
http contains “HTTP/1.0 200OK” && http contains “Content-Type: ”
wireshark生成
(ip.addr eq 220.181.66.92 and ip.addr eq 192.168.1.21) and (tcp.port eq 80 and tcp.port eq 2213)
参考:
1.http://wiki.wireshark.org/CaptureFilters
2.WireShark用户手册