004_wireshark专题

一、常用的wireshark搜索语法

(1)

http.request.uri contains "admin/activities"       #搜索URL包含"admin/activities"的链接

(2)wireshark协议分析

http://blog.csdn.net/ahafg/article/details/51039584 

二、过滤http中包含指定header头的内容

tcpdump -i bind0 and host 192.168.1.1 -w analyze.pcap                                        #先用tcpdump捕获,然后再用wireshark打开

http contains "www.uuwatch.me" and http contains "pizza" and http contains "x-shard: "       #搜寻域名为"www.uuwatch.me"且http的header头中包含"x-shard: "的http请求,效果如下图所示

Reference:https://osqa-ask.wireshark.org/questions/11809/how-to-filter-from-field-in-http-header

三、或和and过滤语法的使用

下图"ssl||http2"表示过滤ssl或http2的协议的包

 下图中的"ip.addr == 118.25.101.120&&(ssl||http2)"表示过滤ip地址是118.25.101.120且协议为(ssl或http2)的包

四、选择任何你想过滤的包的字段,右键"Apply as Filter"->"Selected"(也可选择其它几种)即可,这里为"frame.number == 5246"的过滤语句.通过这种方式来实现自定义过滤.

 

五、http过滤语法官方文档

(1)https://www.wireshark.org/docs/dfref/h/http.html