Wireshark filtering rules: 1. IP filtering, including source IP or destination IP equal to a certain IP; 2. Port filtering; 3. Protocol filtering tcp; 4. Packet length filtering; 5. http mode filtering.
The operating environment of this tutorial: Windows 7 system, Dell G3 computer.
wireshark filtering rules:
1. IP filtering: including source IP or target IP equal to a certain IP
For example: ip.src addr==192.168.0.208 or ip.src addr eq 192.168.0.208 Display source IP
ip.dst addr==192.168.0.208 or ip.dst addr eq 192.168 .0.208 Display the target IP
2. Port filtering:
For example: tcp.port eq 80 // Regardless of whether the port is the source or the destination,
is displayedtcp.port == 80
tcp.port eq 2722
tcp.port eq 80 or udp.port eq 80
tcp.dstport == 80 / / Only display the target port 80 of the tcp protocol
tcp.srcport == 80 // Only display the source port 80 of the tcp protocol
Filter port range
tcp.port > ;= 1 and tcp.port <= 80
3. Protocol filtering: tcp
udp
arp
icmp
http
smtp
ftp
dns
msnms
ip
ssl
Wait
Exclude ssl packets, such as !ssl or not ssl
4. Packet length filtering:
For example:
udp.length == 26 This length refers to the fixed length of udp itself 8 plus the sum of the data packet below udp
tcp.len >= 7 refers to the ip data packet ( The piece of data below tcp), excluding tcp itself
ip.len == 94 Except for the fixed length of the Ethernet header 14, everything else is considered ip.len, that is, from the ip itself to the end
frame.len == 119 The entire packet length, from the beginning to the end of eth
5. http mode filtering:
Example:
http.request.method == “GET” http.request.method == “POST” http.request.uri == “/img/logo-edu.gif” http contains “GET” http contains “HTTP/1.” // GET包包含某头字段 http.request.method == “GET” && http contains “Host: ” http.request.method == “GET” && http contains “User-Agent: ” // POST包包含某头字段 http.request.method == “POST” && http contains “Host: ” http.request.method == “POST” && http contains “User-Agent: ” // 响应包包含某头字段 http contains “HTTP/1.1 200 OK” && http contains “Content-Type: ” http contains “HTTP/1.0 200 OK” && http contains “Content-Type: ”
6. Connector and / or
7. Expression: !(arp.src==192.168.1.1) and !(arp.dst.proto_ipv4==192.168.1.243 )
8. Expert.message is used to filter info information, mainly used with contains
Related free learning recommendations : php programming(Video)
The above is the detailed content of What are the wireshark filtering rules?. For more information, please follow other related articles on the PHP Chinese website!