但是如果使用wireshark抓包却不配置filter的话,估计找到我们需要的包,会花费半天时间。
不过还好wireshark自带了很好的帮助文档,有它们几乎可以解决所有的问题。
如果要使用wireshark抓包,强烈建议看一下 http://wiki.wireshark.org/CaptureFilters
下面是其中部分内容,已经可见其价值了。
引用
Examples
Capture only traffic to or from IP address 172.18.5.4:
host 172.18.5.4
Capture traffic to or from a range of IP addresses:
net 192.168.0.0/24
or
net 192.168.0.0 mask 255.255.255.0
Capture traffic from a range of IP addresses:
src net 192.168.0.0/24
or
src net 192.168.0.0 mask 255.255.255.0
Capture traffic to a range of IP addresses:
dst net 192.168.0.0/24
or
dst net 192.168.0.0 mask 255.255.255.0
Capture only DNS (port 53) traffic:
port 53
Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):
host www.example.com and not (port 80 or port 25)
host www.example.com and not port 80 and not port 25
Capture except all ARP and DNS traffic:
port not 53 and not arp
Capture traffic within a range of ports
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
or, with newer versions of libpcap (0.9.1 and later):
tcp portrange 1501-1549
Capture only Ethernet type EAPOL:
ether proto 0x888e
Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group:
not ether dst 01:80:c2:00:00:0e
Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:
ip
Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:
not broadcast and not multicast
Capture IPv6 "all nodes" (router and neighbor advertisement) traffic. Can be used to find rogue RAs:
dst host ff02::1
Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list.
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
Useful Filters
Blaster and Welchia are RPC worms. (Does anyone have better links, i.e. ones that describe or show the actual payload?)
Blaster worm:
dst port 135 and tcp port 135 and ip[2:2]==48
Welchia worm:
icmp[icmptype]==icmp-echo and ip[2:2]==92 and icmp[8:4]==0xAAAAAAAA
The filter looks for an icmp echo request that is 92 bytes long and has an icmp payload that begins with 4 bytes of A's (hex). It is the signature of the welchia worm just before it tries to compromise a system.
Many worms try to spread by contacting other hosts on ports 135, 445, or 1433. This filter is independent of the specific worm instead it looks for SYN packets originating from a local network on those specific ports. Please change the network filter to reflect your own network.
dst port 135 or dst port 445 or dst port 1433 and tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) = 0 and src net 192.168.0.0/24
在抓HTTP GET包的时候,官方文档没有详细解释表达式的含义,这里做一点解释,权当补充材料。
想明白这个表达式( tcp[((tcp[12:1] & 0xf0) >> 2):4] )做了些什么事,需要对TCP报文有一定的了解。
由于TCP协议的设计,在报文部首部分有一个选项部分(options field),其可有可无,所以TCP报文部首长度是不固定的。在选项部分(options field)为空的情况下,部首为20个字节。
所以如果我们希望定位到具体的数据段,需要知道部首的长度。部首中有一个部首长度字段,它说明了部首的长度。
从上图可以看出,我们需要跳过12个字节才能到部首长度字段(head length field)。
部首长度字段为4bit,该字段以字(32bit)为单位说明了TCP部首长度。
所以tcp[12:1]就是读部首长度字段,由于部首长度字段是4bit的,所有了后面的 &0xf0,右移2为是因为其是以字为单位的。
得到部首长度后,我们就可以知道HTTP数据所在位置了,后面的事相信大家就都知道了。这里就不在赘述了。
类似的,我们可以写出抓取HTTP POST请求包的表达式:
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354(只需要把GET换成POST即可)