How to use the display filter of wireshark tool

Wireshark display filter is used to filter the captured data packets and only display the data packets that meet the filtering conditions. Display filters are usually more commonly used than capture filters. Usually no restrictions are placed in the packet capture process. Any packet is captured, and then specific data packets are analyzed through the display filter.

There are two ways to display filters, namely:

• Dialog mode

• Text expression mode

Dialog mode display

This method is very simple, you only need to move the mouse to select what you need Filter rules. Click Analysis in turn -> Display Filter Expression

The box on the left is all available protocol domains. Select a filtering protocol field, then select the relationship, and finally fill in the value, and a display filtering is completed.

Display filter for text expressions

The dialog box method is suitable for novices, but after playing wireshark for a while, you will become familiar with its display filter After setting the rules, you can use text expressions to operate. The following demonstrates some common display filters:

Protocol Limitation

is used to limit commonly used protocols, such as http, ssh, tcp, etc.

Only display http protocol

http

Display http or ssh protocol packets

http or ssh

Limited IP address and port

IP address and port are the most commonly used filtering conditions, but unlike the capture filter, the display filter uses ip.addr == ip address to limit.

Limit IP

ip.addr == 192.168.110.145

Limit the size of the data packet

frame.len > 128

Common comparison operators are:

• greater than>

• ##less than<

##greater than or equal>=
Less than or equal to<=
Equal to==
Not equal to!=
The role of logical expressions

frame.len > 128 and ip.addr == 192.168.110.145

Common logical operators are:

And, both conditions are met at the same time and
Or, two conditions satisfy one or
No, no condition is satisfied not
XOR, one of the conditions is satisfied Another one that does not satisfy the Protocol, such as tcp.port

• tcp.port==80

Commonly used display filter expressions

Finally, common display filter expressions are given

!arp 排除arp数据包
http 只显示http数据包
!tcp.port==80 过滤http数据包
tcp.port==21 or tcp.port==22 ftp或ssh
tcp.flags.syn==1 具有syn标志位的tcp数据包
tcp.flags.rst==1 具有rst标志位的tcp数据包

Related recommendations: "Windows Operation and Maintenance

"

The above is the detailed content of How to use the display filter of wireshark tool. For more information, please follow other related articles on the PHP Chinese website!