1. IP filtering, IP source or destination IP as an IP equal
example:
ip.src ip.dst EQ EQ 192.168.1.107 or 192.168.1.107
or
ip.addr eq 192.168.1.107 // can display source and destination IP
2. filter port
example:
tcp.port EQ 80 // Whether the port is a source or target are displayed
tcp.port == 80
tcp.port EQ 2722
tcp.port EQ EQ udp.port 80 or 80
tcp.dstport == 80 // display only tcp protocol destination port 80
tcp.srcport == @ 80 displays only tcp protocol source port 80
udp.port 15000 EQ
filter port range
tcp.port> = tcp.port. 1 and <= 80
. 3. filtering protocol
examples:
TCP
UDP
ARP
ICMP
HTTP
SMTP
FTP
DNS
msnms
IP
SSL
OICQ
BOOTP
etc.
Arp packets excluded, such as arp arp or Not!
4. MAC filter
too mesh to filter head
eth.dst == A0: 00: 00: 04: C5: 84 // filtering target MAC
eth.src EQ A0: 00: 00: 04: C5: 84 // filter source mac
eth.dst == A0: 00: 00: 04: C5: 84
eth.dst == A0-00-00-04-C5-84
eth.addr EQ A0: 00: 00: 04: C5: 84 // MAC source and destination MAC filters are equal to A0: 00: 00: 04: C5: 84 is
less than less than <lt
less le
equal eq
greater than gt
greater than or equal ge
ranging ne
The length of the filter pack
examples:
udp.length == 26 is the length is a fixed length of 8 itself udp udp plus the sum of the following piece of data packets
tcp.len> = 7 refers ip packet (data piece below tcp ), excluding itself tcp
ip.len == 94 in addition to fixed-length Ethernet header 14, the other considered ip.len, i.e. from the end itself ip
frame.len 119 == length of the entire packet, from the beginning to the end eth
eth ---> IP or ARP ---> TCP or UDP ---> Data
6.http mode filter
examples:
http.request.method == "the GET"
http.request.method == "the POST"
http.Request. == uri "/img/logo-edu.gif"
HTTP the contains "GET"
HTTP the contains. "HTTP / 1"
// GET package
http.request.method == "GET" && the contains HTTP "Host:"
http.request == .method "GET" HTTP && the contains "the User-Agent:"
// POST package
http.request.method == "POST" && http contains "Host: "
== http.request.method "the POST" && the contains HTTP "the User-- Agent:"
// response packet
HTTP the contains "the HTTP / 1.1 200 is the OK" && the contains HTTP "the Type-the Content:"
HTTP the contains "the HTTP / 1.0 200 is the OK" && http contains "Content-Type: "
must contain the following
Content-Type:
7.TCP parameter filtering
tcp.flags display packets contain TCP flags.
tcp.flags.syn == 0x02 display include TCP SYN packet flag.
! tcp.window_size. 1 == 0 && tcp.flags.reset =
8. The contents of the filter
TCP [20] represents from 20 starts, takes a character
tcp [20:] represents from 20 starts, takes a character more
TCP [20 : 8] represents from 20 starts, takes eight characters
TCP [offset, n-]
UDP [8: 3] == 81:60:03 // offset 8 bytes, then take the number 3, the back whether == equal data?
udp [8: 1] == 32 I guess if there is nothing wrong, it should be udp [offset: The number of taken] = nValue is
eth.addr [0:. 3] == 00: 06: 5B
examples:
We all know that a fixed length of udp. 8
udp [. 8:. 3] == 20:21:22
Analyzing the front piece tcp packets is equal to three 0x21 0x22 0x20
tcp In general, length is 20, but when there are not 20
tcp [8: 3] == 20:21:22
If you want to get the most accurate, should first know tcp length
matches (matches) and contains (string comprising a) syntax
ip.src == 192.168.1.107 and udp [8: 5] The matches "\\ \\ x21 X12 X02 \\ \\ \\ x00 x22"
ip.src == 192.168.1.107 and the contains udp 02: 12: 21: 00: 22
ip.src == 192.168.1.107 and tcp the contains "the GET"
UDP 7C the contains: 7C: 7D: 7D matching UDP packets containing payload 0x7c7c7d7d not necessarily match from the first byte.
Examples:
Get the local qq login data packet (first packet that is determined == 0x02, fourth and fifth packets equal 0x00x22, the last packet equals 0x03)
0x02 0x00 0x22 ... 0x03 XX XX
correct
oicq and udp [ 8:] matches "^ \\ x02 [\\ x00 - \\ xff] [\\ x00 - \\ xff] \\ x00 \\ x22 [\\ x00 - \\ xff] + \\ x03 $"
oicq and udp [8:] matches "^ \\ x02 [\\ x00 - \\ xff] {2} \\ x00 \\ x22 [\\ x00 - \\ xff] + \\ x03 $" // login packet
oicq and (udp [8:] matches "^ \\ x02 [\\ x00 - \\ xff] {2} \\ x03 $" or tcp [8:] matches "^ \\ x02 [\\ x00 - \\ xFF] 2 {X03} \\ $ ")
OICQ and (UDP [. 8:] The matches" ^ \\ X02 [xOO \\ - \\ xFF] {2} \\ \\ xOO X22 [xOO \\ - \\ xff] + \\ x03 $ "or tcp [20:] matches" ^ \\ x02 [\\ x00 - \\ xff] {2} \\ x00 \\ x22 [\\ x00 - \\ xff] + \\ x03 $ ")
is not just only 00:22 QQ number, there are also other packages, to meet the following conditions (tcp there, but not done):
OICQ and udp [8:] the matches" X02 ^ \\ [\\ x00 - \\ xFF] X03 \\ $ + "and (UDP [. 11: 2] == 00:00) and (UDP [. 11: 2] == 00:80)!!
OICQ UDP and [. 8:] The matches" ^ \\ x02 [\\ x00 - \\ xff] + \\ x03 $ "and (udp [11: 2] == 00:00) and (udp [15: 4] == 00:00:00!! : 00)
Description:
UDP [15:. 4] == 00: 00: 00: 00 represents the number of empty QQ
udp [11: 2] == 00:00 indicates that the command number is 00:00
UDP [. 11: 2] = = 00:Number 80 indicates that the command is 00:80
When the command numbered 00:80, QQ number is 00: 00: 00: 00
to get a successful landing msn account (judgment condition is "USR 7 OK", that is equal to the first three USR, and then by two 0x20, it is OK to followed by OK is a character 0x20, is behind the mail)
the USR xx OK [email protected]
correct
msnms and tcp and ip.addr == 192.168.1.107 and tcp [20:] matches "^ USR \\ x20 [\\ x30 - \\ x39] + \\ x20OK \\ x20 [\\ x00 - \\ xff] + "
9.dns mode filter
10.DHCP
to find the rogue DHCP server for example, describes the use of Wireshark. Add filtering rules in the display filter,
the display and all the information from the DHCP server non bootp.type == 0x02 (Offer / Ack) is:
bootp.type Not ip.src == == 0x02 and 192.168.1.1
11.msn
msnms && tcp [23: 1] == 20 // msn fourth packet is of 0x20
msnms && tcp [20: 1] > = 41 && tcp [20: 1] <= 5A && tcp [21: 1]> 41 is && TCP = [21 is:. 1] <=. 5A && TCP [22 is:. 1]> = 41 is && TCP [22 is:. 1] <=. 5A
msnms && TCP [20 is:. 3] == "the USR" // find command encoding is a packet of USR
msnms && tcp [20: 3] == "MSG" // find command code is the MSG packet
tcp.port == 1863 || tcp.port == 80
how to determine the packet containing a command code ? the MSN packet
1) or 80 port 1863, such as: tcp.port == == 80 tcp.port 1863 ||
2) this data is the first three capital letters, such as:
TCP [20 is: 1]> = 41 && tcp [20: 1 ] <= 5A &
3) The fourth is 0x20, such as: TCP [23 is:. 1] == 20 is
. 4) belonging MSN TCP protocol, such as TCP
MSN Messenger protocol analysis
http://blog.csdn.net/Hopping/archive/2008/ . 11/13 is / 3292257.aspx
MSN protocol analysis
http://blog.csdn.net/lzyzuixin/archive/2009/03/13/3986597.aspx
described in more detail
<< wireshark filter expression examples described >>
HTTP: / /www.csna.cn/viewthread.php?tid=14614
operation menu in English Wireshark main interface contrast
http://www.csna.cn/viewthread.php?tid=9645&extra=page%3D1
has a good network analysis software
"Branch to network analysis system"
learn Ethereal / Wireshark website
http://www.csna.cn/index.php
###########################################################################
1, wireshark basic syntax character
\ d 0-9
\ D \ d complement (in so corpus character, the same below), i.e., all non-numeric characters
\ w word character, lowercase letters refer to, 0- figures 9, underlined
\ W \ w complement of
\ s whitespace characters, including newline \ n-, carriage return \ R & lt, tab \ T, vertical tab \ V, formfeed \ F
\ S \ s the complement
. any character except newline \ n a. In Perl. "" Newline match mode is referred to as "single-line mode"
. * Matches any text, but not a carriage return (\ n)?. And, [0x00-0xff] * matches any text, including \ n-
[...] matches all characters in [] listed
[^ ...] non-matching characters in [] listed
-------- -------------------------------------------------- ------------------------------
2, the positioning of characters represented by a virtual character, it represents a position, you also intuitively that "character position" that is represented by a small gap between the two characters.
^ Represents characters must be subsequently located at the beginning of the string
$ indicate that the previous character must be in the end of the string
\ b matches a word boundary
\ B matches a non-word boundary
-------------------------------------------------- --------------------------------------
3, repeated description string
{n} matches the preceding character n times
{n,} matches the preceding character n times or more than n times
{n, m} matches the preceding character n to m times
? matches the preceding character 0 or 1
+ 1 matches the preceding character 1 or more times times
* matches the preceding character zero or type 0 times
------------------------------------- -------------------------------------------------- -
. 4, and matching or
and and symbol
or symbols or
for example:
TCP tcp.port == 80 and
TCP or UDP
------------------------- -------------------------------------------------- -------------
. 5, the matching expression Wireshark filtered example
5.1, the search filter segment payload udp conditional (udp numeral 8 denotes a head is 8 bytes, the data portion from 9 byte udp [8:])
udp [8] == 14 (14 is a hexadecimal 0x14) matching the first payload byte UDP packet of 0x14
udp [8: 2] == 14:05 can udp [8: 2] == 1405 , and only supports two consecutive bytes, to be three or more colon: indicates hexadecimal partition. (Equivalent udp [8] == 14 and udp [9] == 05,1405 is 0x1405)
UDP [. 8:. 3] == 22 is: 00: F7 but not UDP [. 8:. 3] == 2200f7
UDP [ 8: 4] == 00: 04 : 00: 2a, to match the first four bytes of the payload 0x0004002a
and udp contains 7c: 7c: 7d: 7d matching UDP packets containing payload 0x7c7c7d7d not necessarily the first word from section match.
UDP [. 8:. 4] The matches "X14 \\ \\ \\ X07 X05 X18 \\"
UDP [. 8:] The matches "^ \\ \\ X05 X14 X18 \\ \\ \\ X07 X14"
5.2, conditional search tcp filtered data segment payload (tcp numeral 20 is a 20-byte header, the data portion starting from the 21 byte tcp [20:])
tcp [20:] the matches "the GET ^ [- ~] * the HTTP /1.1\\x0d\\x0a "
equivalent The matches HTTP" GET ^ [- ~] * HTTP / 1.1 x0d \\ \\ x0a "
tcp [20:] The matches" ^ GET HTTP / 1.1 \\ x0d (*.?) x0a \\ "
tcp [20:] The matches" ^ GET HTTP / 1.1 x0d \\ \\ x0a [\\ x00 - \\ xFF] * Host (*.?):
tcp [20:] The matches "^ GET HTTP / 1.1 x0d \\ \\ x0a [\\ x00 - \\ xFF] * Host (*.?):"
tcp [20:] The matches "^ POST / HTTP / 1.1 \ \ x0d \\ x0a [\\ x00 - \\ xff] * \\ x0d \\ x0aConnection: Keep-Alive \\ x0d \\ x0a \\ x0d \\ x0a "
detection flag smb SMB header, the tag indicating tcp smb head start on 24byte position match.
tcp [24: 4] == ff : 53: 4d: 42
detection marks smb SMB header, tcp data contains the hexadecimal ff: 53: 4d: 42, to start the search from the data head tcp.
the contains FF tcp: 53 is: 4D: 42 is
tcp The matches "\\ xFF X4d \\ \\ \\ X53 X42"
detector comprising tcp Hex 01: bd, tcp search from the head of this data.
tcp matches "\\ x01 \\ xbd"
detection path MS08067 RPC request
TCP [179: 13 is] == 00: 5C: 00: 2E: 00: 2E: 00: 5C: 00: 2E: 00: 2E: 00
\ . \.
5.3, other
http.request.uri matches ".gif $" matched filter HTTP request containing the URI ".gif" string, and ends with .gif (4 bytes) http request packet ($ is the end of the regular expression stands for character)
Note the difference: http.request.uri contains ".gif $" In contrast, contains a string containing ".gif $" (5 bytes). Matched filter HTTP request containing the URI ".gif $" http request packet string (where $ is a character, not the end character)
eth.addr [0:. 3] before the MAC address search filter 4f: == 00: 1e 3 bytes is 0x001e4f packet.
Finish