Wireshark filter syntax

Language 2023-05-04 21:29:53 views: null

1. Official website address

click to enter

2. Capture Filters

Use capture filter Wireshark only captures packets that meet the filter conditions. The capture filter adopts BPF syntax expression, and the expression consists of the following parts:

Dir Indicates whether the transmission direction is going to or from For example: src, dst
Type Indicates the meaning represented by the name or number, for example: host, port Proto
limits the protocol to be matched For example: ether, ip, tcp, udp, http, ftp

Using the above keywords, a primitive can be formed. In a filter expression, multiple primitives can be defined. Multiple primitives are directly combined using logical operators. Logical operators are as follows:

Concatenation Operator: And (&&)
Selection Operator: Or (||)
Negation Operator: Not (!)

For example:

dst host 192.168.0.10 && tcp port 80

It means to intercept the tcp protocol whose target ip is host 192.168.0.10, and the source or destination port is port 80.

Common capture filter writing:

Filter host: host ip
filter port:
port port: filter data of a certain port
!port port: filter data that is not a certain port
dst port port: filter data whose target is a certain port

In Wireshark, capture filters are defined in Capture –> Options.

3. Display Filters

Display filters are applied to capture files and are used to tell Wireshark to display only those packets that match the filter criteria. You can enter a display filter in the Filter text box above the package list pane.
insert image description here
Display filter syntax differs from capture filter syntax. The main performance is as follows:
in terms of keywords, for example, the capture filter uses host to define ip, and the display filter uses ip.addr to define ip.
In terms of operators, display filters are divided into comparison operators and logical operators.
Comparison operators:

equal to ==
not equal to ! =
greater than >
less than <
greater than or equal to > =
less than or equal to <=

Logical operators:

and two conditions must be met at the same time
or one of the conditions is met
xor there is only one condition met
not no condition is met

For example:

!udp and ip.addr==40.90.189.152

Indicates that it is not a udp protocol and the ip is 40.90.189.152

4. Linux system capture packet

Under Linux, use the tcpdump command to capture packets, download the captured packet files to the windows system, and use Wireshark for analysis. The tcpdump command is not explained in detail here.

Guess you like

Origin blog.csdn.net/qq1309664161/article/details/128010710
Recommended
Ranking
git ,已经提交到git上的一个文件,想要忽略,在.gitignore添加了却不起作用
[Android -- soft skills] share a learning method
018-virtualenv creates python2/3 virtual environment installation and usage notes
Use the Lim test platform to quickly complete batch number creation
Springboot&Springcloud interview questions (including code and display diagram)
Common Components
03-Operation in numpy.array
Use PotPlayer to check the CPU and GPU usage when soft and hard decoding 4K HD videos
linux control history command history
Minio usage and integration starting dependencies
Daily
More
2024-05-28(1)
2024-05-27(1)
2024-05-26(0)
2024-05-25(3)
2024-05-24(12)
2024-05-23(35)
2024-05-22(9)
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)

Code World

© 2018 codetd.com