What are the wireshark filtering rules?

Wireshark filtering rules: 1. IP filtering, including source IP or destination IP equal to a certain IP; 2. Port filtering; 3. Protocol filtering tcp; 4. Packet length filtering; 5. http mode filtering.

The operating environment of this tutorial: Windows 7 system, Dell G3 computer.

wireshark filtering rules:

1. IP filtering: including source IP or target IP equal to a certain IP

For example: ip.src addr==192.168.0.208 or ip.src addr eq 192.168.0.208 Display source IP

ip.dst addr==192.168.0.208 or ip.dst addr eq 192.168 .0.208 Display the target IP

2. Port filtering:

For example: tcp.port eq 80 // Regardless of whether the port is the source or the destination,

is displayed

tcp.port == 80

tcp.port eq 2722

tcp.port eq 80 or udp.port eq 80

tcp.dstport == 80 / / Only display the target port 80 of the tcp protocol

tcp.srcport == 80 // Only display the source port 80 of the tcp protocol

Filter port range

tcp.port > ;= 1 and tcp.port <= 80

3. Protocol filtering: tcp

udp

arp

icmp

http

smtp

ftp

dns

msnms

ip

ssl

Wait

Exclude ssl packets, such as !ssl or not ssl

4. Packet length filtering:

For example:

udp.length == 26 This length refers to the fixed length of udp itself 8 plus the sum of the data packet below udp

tcp.len >= 7 refers to the ip data packet ( The piece of data below tcp), excluding tcp itself

ip.len == 94 Except for the fixed length of the Ethernet header 14, everything else is considered ip.len, that is, from the ip itself to the end

frame.len == 119 The entire packet length, from the beginning to the end of eth

5. http mode filtering:

Example:

http.request.method == “GET”
http.request.method == “POST”
http.request.uri == “/img/logo-edu.gif”
http contains “GET”
http contains “HTTP/1.”
// GET包包含某头字段
http.request.method == “GET” && http contains “Host: ”
http.request.method == “GET” && http contains “User-Agent: ”
// POST包包含某头字段
http.request.method == “POST” && http contains “Host: ”
http.request.method == “POST” && http contains “User-Agent: ”
// 响应包包含某头字段
http contains “HTTP/1.1 200 OK” && http contains “Content-Type: ”
http contains “HTTP/1.0 200 OK” && http contains “Content-Type: ”

6. Connector and / or

7. Expression: !(arp.src==192.168.1.1) and !(arp.dst.proto_ipv4==192.168.1.243 )

8. Expert.message is used to filter info information, mainly used with contains

Related free learning recommendations : php programming(Video)

The above is the detailed content of What are the wireshark filtering rules?. For more information, please follow other related articles on the PHP Chinese website!