wireshark抓包过滤器

混杂模式：开启混杂模式的网卡可以捕获所有流过该网卡的帧，不开启则只能捕获广播帧以及发给该网卡的帧。需要配合交换机端口镜像才能实现。

抓包过滤器：
1、ethernet过滤器，第二层的过滤器，根据mac地址来进行过滤
例：
ether host XX：抓取源和目的为指定的mac的以太网帧
ether dst XX：抓取目的为指定mac的以太网帧
ether src XX：抓取源为指定mac的以太网帧
ether broadcast:抓取所有以太网广播流量
ether multicast:抓取多播流量
ether proto <protocol>:抓取指定协议的以太网流量，比如以太网类型为0x0800,ether proto 0800。以太网类型指的是以太网帧帧头的ether-type字段，表示上层的协议类型。0x0800为ipv4、0x86dd为ipv6、0x0806为arp。
vlan <vlan_id>:抓取指定的vlan流量，也可以用and连接抓取多个vlan的流量，如：vlan <vlan_id> and vlan <vlan_id> and vlan <vlan_id>
要起反作用可以用!或者not，如：
! ether broadcast
not ether broadcast
2、主机和网络过滤器，第三层过滤器
ip或ipv6:抓取ipv4或ipv6流量
host <host>:抓取源或目的为指定主机名（网址）或ip的流量
dst host <host>:抓取目的为指定主机名（网址）或ip的流量
src host <host>:抓取源为指定主机名（网址）或ip的流量
gateway <host>：抓取穿越网关的流量，host必须是主机名。
net <net>:抓取源或目的为指定网络号的流量，如：net 192.168.1或net 192.168.1.0
dst net <net>:抓取目的为指定网络号的流量
src net <net>:抓取源为指定网络号的流量
net <net> mask <netmask>:抓取源或目的由net和mask共同指明的ipv4网络号的流量，ipv6流量无效。如：net 192.168.1.0 mask 255.255.255.0
dst net <net> mask <netmask>:抓取目的由net和mask共同指明的ipv4网络号的流量，ipv6流量无效。
src net <net> mask <netmask>:抓取源由net和mask共同指明的ipv4网络号的流量，ipv6流量无效。
net <net>/<len>:抓取源或目的为指定网络和长度的流量,如：net 192.168.1.0/24
dst net <net>/<len>:抓取目的为指定网络和长度的流量
src net <net>/<len>:抓取源为指定网络和长度的流量
broadcast：抓取ip广播包，通常如：ip broadcast
multicast: 抓取ip多播包
ip proto <protocol code>:抓取ip包头协议类型字段值等于特定值的数据包。如：tcp为6，udp为17，icmp为1
ip6 proto <protocol>: 抓取ipv6包头中下一个包头字段值等于特定值的ipv6数据包。无法用该原词根据ipv6扩展包头链中的相关字段值执行过滤。
icmp [icmptype]==<identifier>:抓取特定类型[icmptype]的icmp数据包，<identifier>表示的是icmp头部中的类型字段值，如，0（icmp echo reply数据包）或8（icmp echo request数据包）等。如：icmp[icmptype]==icmp-echo 或 icmp[icmptype]==8
ip[2:2]==<number>:抓取指定长度的ip数据包（number表示ip包头中的ip包总长度字段值）
ip[8]==<number>:抓取具有指定ttl的ip数据包（number表示ip包头中的ttl字段值）
ip[9]==<number>:抓取指定协议类型的ip数据包（number表示ip包头中的协议类型字段值）
ip[12:4]==ip[16:4]：表示数据包源和目的ip相同
注:中括号内的数字表示相关协议头部的内容，第一个数字指从协议头部的第几个字节开始关注，第二个数字表示所要关注的字节数。
3、tcp和udp及端口过滤，第四层
port <port>：匹配port指明的端口号,如：port 80或port http
dst port <port>:目的端口号为指定的端口号
src port <port>:源端口号为指定的端口号
tcp portrange <p1>-<p2>或udp portrange <p1>-<p2>：用来抓取端口范围介于p1和p2之间的tcp或udp数据包 
tcp src portrange <p1>-<p2>或udp dst portrange <p1>-<p2>
tcp [tcpflags] & (tcp-syn|tcp-fin)!=0：抓取tcp连接中用来发起连接（syn标记位置1）或终止连接（FIN标记位置1）的数据包
tcp [tcpflags] &(tcp-rst)!=0：抓取所有RST标记位置1的TCP数据包，RST标记位用来立刻拆除连接，PSH用来表示将数据提交给末端进程处理。
less <length>：抓取不长于指定长度的数据包，写法等价于：len <= <length>
greater <length>：抓取不短于标识符指定的长度的数据包，写法等价于：len >= <length>
tcp portrange 2000-2500:抓取端口在这个范围内的tcp数据包
tcp[13] & 0x00=0：抓取所有标记位都未置1的tcp流量（在怀疑遭遇空扫描攻击时使用）
tcp[13] & 0x01=1：抓取FIN位置1，但ACK位置0的TCP流量
tcp[13] & 0x03=3：抓取SYN和FIN位同时置1的TCP流量
tcp[13] & 0x05=5：抓取RST和FIN位同时置1的TCP流量
tcp[13] & 0x06=6：抓取SYN和RST位同时置1的TCP流量
tcp[13] & 0x08=8：抓取PSH位置1，但ACK位置0的TCP流量
//13指代TCP头部中的标记字段，‘=’号后面数字表示tcp标记位的置位情况。0表示标记位都没置1，1表示FIN位置1，但ACK位置0，1+2表示SYN和FIN位同时置1，1+4表示RST和FIN同时置1，2+4表示SYN和RST同时置1，8表示PSH位置1，但ACK置0.
4、复合过滤器
!或not
&&或and
||或or
例子：
not braodcast and not multicast 只抓单播
host www.youtube.com and port 80 抓取往来于youtube站点的http流量
tcp port 23 and host 192.180.1.1
tcp port 23 and not src host 192.168.1.1
5、配置字节偏移和净载匹配型过滤器，更加灵活
格式： proto [offset:bytes]，协议可以是ip、udp、tcp
协议 [从协议头部开始所偏移的字节数：抓包过滤器所要检查的字节数]
tcp[2:2]>50 and tcp[2:2]<100 //抓取目的端口范围为50~100的tcp数据包
tcp[14:2]<8192 //抓窗口大小字段值低于8192的tcp数据包
wireshark有字节偏移和净载匹配抓包过滤器生成工具：https://www.wireshark.org/tools/string-cf.html
也可以看这篇文章http://www.packetlevel.ch/html/txt/byte_offsets.txt
Intro
This document is meant to serve as a quick reference for points
of interest in IP, TCP, UDP and ICMP headers. I cobbled the
information from a variety of sources, all listed at the bottom
of this page. This information will (hopefully) be useful to
people building filters for network tools that use BPF, such
as tcpdump or snort. I was moved to collect all of this stuff
in one place after completing "Intrusion Detection In-Depth" 
at a recent SANS conference. Yes, I'm aware that some of these
offsets are covered by tcpdump macros. So what? Use the byte
offsets instead and let them ph33r your m@d sk1lz. Corrections,
additions and so on are welcome. Send them to:
jquinby (at) node.to
Cheers,
JQ
IP byte offsets

ip[0] & 0x0f		- protocol version
ip[0] & 0xf0		- protocol options
ip[0] & 0xff00		- internet header length
ip[1]			- TOS
ip[2:2]			- Total length
ip[4:2]			- IP identification
ip[6] & 0xa		- IP flags
ip[6:2] & 0x1fff 	- fragment offset area
ip[8]			- TTL
ip[9]			- protocol field
ip[10:2]		- header checksum
ip[12:4]		- src IP address
ip[16:4]		- dst IP address
ip[20:3]		- options
ip[24]			- padding

Src IP = Dest IP (land attack)
(ip[12:4] = ip[16:4])

IP versions !=4
(ip[0] & 0xf0 != 0x40)

IP with options set:
(ip[0:1] & 0x0f > 5)

Broadcasts to x.x.x.255:
(ip[19] = 0xff)

Broadcasts to x.x.x.0
(ip[19] = 0x00)


TCP byte offsets, including anomalous TCP flag settings.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

tcp[0:2]		- src port
tcp[2:2]		- dst port
tcp[4:4]		- seq number
tcp[8:4]		- ack number
tcp[12] & 0x00ff	- data offset
tcp[12] & 0xff00	- reserved
tcp[13]			- tcp flags

tcp[13] & 0x3f = 0	- no flags set (null packet)
tcp[13] & 0x11 = 1	- FIN set and ACK not set
tcp[13] & 0x03 = 3	- SYN set and FIN set
tcp[13] & 0x05 = 5	- RST set and FIN set
tcp[13] & 0x06 = 6	- SYN set and RST set
tcp[13] & 0x18 = 8	- PSH set and ACK not set
tcp[13] & 0x30 = 0x20	- URG set and ACK not set
tcp[13] & 0xc0 != 0	- >= one of the reserved bits of tcp[13] is set

tcp[14:2]		- window
tcp[16:2]		- checksum
tcp[18:2]		- urgent pointer
tcp[20:3]		- options
tcp[23]			- padding
tcp[24]			- data

UDP byte offsets, header only
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

udp[0:2]		- src port
udp[2:2]		- dst port
udp[4:2]		- length
udp[6:2]		- checksum
udp[8:4]		- first 4 octets of data

Crafted packets with impossible UDP lengths:
udp[4:2] < 0) or (udp[4:2] > 1500


ICMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

icmp[0]			- type
icmp[1]			- code
icmp[3:2]		- checksum

Destination Unreachable:
icmp[0] = 0x3 (3) 

icmp[4:4]		- unused (per RFC]
icmp[8:4]		- internet header + 64 bits original data
icmp[1]			- 0 = net unreachable;
			- 1 = host unreachable;
			- 2 = protocol unreachable;
			- 3 = port unreachable;
			- 4 = fragmentation needed and DF set;
			- 5 = source route failed.

Time Exceeded:
icmp[0] = 0xB (11)	

icmp[4:4]		- unused (per RFC]
icmp[8:4]		- internet header + 64 bits original data
icmp[1]			- 0 = TTL exceeded intransit
			- 1 = fragment reassembly time exceeded

Parameter Problem:
icmp[0] = 0xC (12)	

icmp[1]			- 0 = pointer indicates error
icmp[4]			- pointer 
icmp[5:3]		- unused, per RFC
icmp[8:4]		- internet header + 64 bits original data


Source Quench:
icmp[0] = 0x4 (4)

icmp[1]			- 0 = may be received by gateway or host
icmp[4:4]		- unused, per RFC
icmp[8:4]		- internet header + 64 bits original data

Redirect Message:
icmp[0] = 0x5 (5)

icmp[1]			- 0 = redirect for network
			- 1 = redirect for host
			- 2 = redirect for TOS & network
			- 3 = redirect for TOS & host
icmp[4:4]		- gateway internet address
icmp[8:4]		- internet header + 64 bits original data

Echo/Echo Reply:
icmp[0]	= 0x0 (0) (echo reply)
icmp[0]	= 0x8 (8) (echo request)

icmp[4:2]		- identifier
icmp[6:2]		- sequence number
icmp[8]			- data begins
		
Timestamp/Timestamp Reply:
icmp[0] = 0xD (13) (timestamp request)
icmp[0] = 0xE (14) (timestamp reply)

icmp[1]			- 0
icmp[4:2]		- identifier
icmp[6:2]		- sequence number
icmp[8:4]		- originate timestamp
icmp[12:4]		- receive timestamp
icmp[16:4]		- transmit timestamp 

Information Request/Reply:
icmp[0] = 0xF (15) (info request)
icmp[0] = 0x10  (16) (info reply)

icmp[1]			- 0
icmp[4:2]		- identifier
icmp[6:2]		- sequence number

Address Mask Request/Reply:
icmp[0] = 0x11 (11) (address mask request)
icmp[0] = 0x12 (12) (address mask reply)


Sources:

RFC768, "User Datagram Protocol Specification"
RFC791, "Internet Protocol Specification"
RFC792, "Internet Control Message Protocol Specification"
RFC793, "Transmission Control Protocol"
filter files from SHADOW-1.8 source distribution
man pages for tcpdump
"TCP/IP and tcpdump Pocket Reference Guide", SANS