1.1 Berkeley filter
Syntax rules: 1. type represents objects such as IP address, subnet or port
2.dir indicates the direction of data packet transmission source address src, destination address dst
3.proto represents the protocol type matched by the packet, such as ether, ip, tcp, arp
If you want to filter out the data packets whose destination address or source address is 192.168.1.1, you should enter ip.addr == 192.168.1.1 in the filter , and then click the arrow on the right
PS: There must be two equal signs. If you enter one equal sign, the syntax is wrong.
You can get all the data packets whose destination address or source address is 192.168.1.1.
If you want to filter out the data packets with the source address of 192.168.1.1, you only need to enter ip.src == 192.168.1.1 in the filter according to the grammatical rules , and then click the arrow on the right to filter. The result is shown below.
In the same way, if you want to filter out the data packets whose destination address is 192.168.1.1 , you can also enter ip.dst == 192.168.1.1 according to the grammatical rules .
From the above, we can conclude:
Filter out the IP address ip.addr == IP address
Filter out the source IP address ip.src == IP address
Filter out the destination address ip.dst == IP address
Now I have learned to filter IP addresses, but I don't just want to see these, I also want to see more and more detailed things, I want to see what packets are coming in and going out of my TCP port. Now I want to see which packets have gone through port 80, and enter the rule tcp.port == 80 in the filter , so that all packets passing through port 80 can be filtered out.
But I found that this not only filters the port 80 of the source address, but also the port 80 of the destination address. But I also want to filter out the packets with the source address of 192.168.1.1 . Enter the rule tcp.port == 80 || ip.src == 192.168.1.1 in the filter .
The || symbol can be used to connect two rules.
1.2 Capture filter
The capture filter is set before the packet is captured, and the packet is captured according to the set rules after the set and start. Packets that are not within the rules will not be captured. The capture filter follows the Berkeley filter rules.
Before starting to capture, click the Capture option button in the upper left corner to set the content to be captured
The color of the filter is green to indicate that the grammar is okay, and red to indicate a grammatical error, which is not supported.
PS: The capture filter does not support the writing of CIDR and the writing of direct hostname.
1.3 Screening filters
The filter filter is as shown below
The filter filter supports host name and CIDR writing. Expression rule theme + operator + value, and logical operators && (and), || (or),! (Non) Make connections between rules.