Shulou(Shulou.com)06/02 Report--

This article mainly introduces what the wireshark filtering rules are. It is very detailed and has a certain reference value. Friends who are interested must read it!

Wireshark filtering rules: 1, IP filtering, including source IP or destination IP equal to a certain IP;2, port filtering; 3, protocol filtering tcp;4, packet length filtering; 5, http mode filtering.

Wireshark filtering rules:

1. IP filtering: including source IP or destination IP equal to a certain IP

For example: ip.src addr==192.168.0.208 or ip.src addr eq 192.168.0.208 shows the source IP

Ip.dst addr==192.168.0.208 or ip.dst addr eq 192.168.0.208 displays the target IP

Second, port filtering:

For example, tcp.port eq 80 / / is displayed regardless of whether the port is source or destination

Tcp.port = = 80

Tcp.port eq 2722

Tcp.port eq 80 or udp.port eq 80

Tcp.dstport = = 80 / / shows only the target port 80 of the tcp protocol

Tcp.srcport = = 80 / / shows only the source port 80 of the tcp protocol

Filter Port ran

Tcp.port > = 1 and tcp.port = 7 refers to the ip packet (the piece of data under the tcp), excluding the tcp itself

Ip.len = = 94 except for the fixed length of the Ethernet header 14, all are considered ip.len, that is, from the ip itself to the end

Frame.len = = 119entire packet length, from eth to the end

5. Http mode filtering:

Example:

Http.request.method = "GET" http.request.method = = "POST" http.request.uri = "/ img/logo-edu.gif" http contains "GET" http contains "HTTP/1." / / GET package contains a header field http.request.method = = "GET" & & http contains "Host:" http.request.method = = "GET" & & http contains "User-Agent:" / / POST package contains a header field http.request.method = = "POST" & & http Contains "Host:" http.request.method = = "POST" & & http contains "User-Agent:" / / the response package contains a header field http contains "HTTP/1.1 200 OK" & & http contains "Content-Type:" http contains "HTTP/1.0 200 OK" & & http contains "Content-Type:"

VI. The connector and / or

Expression:! (arp.src==192.168.1.1) and! (arp.dst.proto_ipv4==192.168.1.243)

Expert.message is used to filter info information, mainly in conjunction with contains.

The above is all the content of the article "what are the wireshark filtering rules?" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.