table of Contents
In the previous article " How do I use the wireshark software ", I introduced the use of wireshark, mentioned the display filter and the capture filter, and focused on the display filter. This article will mainly introduce the capture filter.
Here to explain the difference between the two again, you need to see the students who display the filter, please see the article " How do I use the wireshark software ".
-
Capture filter: When performing packet capture, only those packets that meet the given inclusion/exclusion expression will be captured.
-
Display filter: According to the specified expression, the filter is used to hide data packets that you do not want to display in a captured data packet set, or only display those data packets that are needed.
01. Introduction
First understand why you need a capture filter. For example, on a server (TCPsever, port 5005), a client (equipment of another company) runs for a few days, and it suddenly drops. At this time, it is unclear whether the server kicked the client offline or the client took the initiative to go offline.
Of course, just add log records to the server at this time, and you can find the "true culprit". If the other party's device is actively offline and the other party does not cooperate, the other party "does not trust your log". At this time, use wireshark to capture the packet, find out the evidence of the FIN disconnection sent by the other party's device (TCPClient), and then "flick" his face.
In fact, in the above scenario, I also mentioned the solution in the article " How do I use wireshark software ", using the strategy of display filtering and timed saving, but this will cause the capture file to be very large in a few days of packet capture. The capture filter can solve this problem.
How to use capture filter
1. Select Capture -> Capture Filter, and then edit a new capture filter option: the name is "port5005" (the name can be based on your needs), and the filter is "port5005".
2. Select the network card in the start interface, then click at ②, and select the input capture condition created in the previous step.
3. Start capturing
After selecting the input capture conditions, as shown in the figure below, directly double-click the network card to start capturing.
02, BPF syntax
The capture filter is applied to WinPcap and uses BerkeleyPacketFilter (BPF) syntax. This syntax is widely used in a variety of packet sniffing software, mainly because most packet sniffing software rely on the libpcap/WinPcap library using BPF. Mastering the BPF syntax is critical for you to explore the network more deeply at the packet level.
A filter created using BPF syntax is called an expression, and the expression contains one or more primitives. Each primitive contains one or more qualifiers, followed by an ID name or number, such as:
BPF syntax also supports the following logical operators to create more advanced expressions.
-
Concatenation operator and (&&)
-
Select operator or (||)
-
Negation operator not (!)
for example:
src 192.168.0.10 && port 5005The above expression only captures the traffic whose source address is 192.168.0.10 and source port or destination port is 5005.
03, filter example
Common filtering examples
Pay attention to the flexible use of the logical operators mentioned above.
Pay attention to the official account, and receive article updates as soon as possible .
