Shulou(Shulou.com)06/01 Report--

This paper lists OSI layer 3 packet capture and display filtering rules commonly used by Wireshark.

Wireshark Information

Packet Details Pane

This panel is our most important one, used to view every field in the protocol.

Each row of information is

Frame: Overview of data frames at the physical layer

Ethernet II: Data Link Layer Ethernet Frame Header Information

Internet Protocol Version 4: Internet Layer IP Packet Header Information

Transmission Control Protocol: header information of data segment of transport layer T, here TCP

Hypertext Transfer Protocol: Information about the application layer, here HTTP protocol

Wireshark corresponds to the OSI seven-layer model

wireshark common shortcut keys can view the previous article "two-layer capture filter article"

I. Rules for packet capture filter expressions (OSI three layers)

#ip/ipv6 only captures IPv4 or IPv6 packets

#IPV6 Packet Capture Rules

#host X.X only fetches traffic originating from or destined for a specified hostname or IP address (e.g. host 192.168.1.1)

host 172.18.202.248

Note: For the same target to grab messages, you can grab two-layer grab rules or three-layer grab rules, and the results are the same;

#dst host X.X only fetches traffic destined for the specified hostname or IP address

dst host 172.18.202.248 = dst 172.18.202.248

#src host X.X only fetches traffic originating from the specified hostname or IP address

src host 172.18.202.248

#gateway X.X only captures traffic passing through host

#net X.X only captures traffic originating from or destined for IPv4 huoIPv6 network numbers with identifiers (e.g. net 192.168.1.0/24 or net 192.168.1.0 mask 255.255.255.0)

net 172.18.202.0/24

net X.X.X.X = 【dst net X.X.X.X + src net X.X.X.X】

#dst net X.X only captures traffic destined for IPv4 huoIPv6 network number of identifier

dst net 172.22.202.0/24

#src net X.X only fetches traffic originating from IPv4 huoIPv6 network numbers of identifiers

src net 172.18.18.0/24

broadcast only captures IP broadcast packets

ip broadcast

multicast only captures IP multicast packets

ip6 multicast

ip multicast

@ Mixed Expression Filter Rules

ip host 172.18.202.248 and icmp

src host 172.18.202.248 or arp

src host 172.18.202.248 or (arp and ! broadcast )

src host 172.18.202.248 or ( (arp and ! broadcast ) and ! tcp)

src host 172.18.202.248 and ( (arp and ! broadcast ) and ! tcp)

net 172.18.202.0/24 and (arp and ! broadcast ) or ! tcp

net 172.18.200.0/21 and ether src 8C-EC-4B-69-A6-A7 and arp

II. Rules for displaying filter expressions (OSI three layers)

Mixed Expression Example

ip.addr == 172.18.202.248 and not tcp.port in {80 25 1433}

--filtering messages showing ip equal to 172.18.202.248 and tcp ports other than 80, 25 and 1433;

#ip proto XX only fetches packets with IP header protocol type field values equal to a specific value

ip.proto

ip.proto and tcp or http

tcp.dstport == 80

#ip6 proto xx only fetches packets with IPv6 header protocol type field values equal to specific values

ICMP

#TCP or udp

ip.proto == 6

ip.proto == 2

Common DNS Display Filters

Have Wireshark display only DNS queries and DNS response packets

dns.flags.response== 0 (DNS query)

dns.flags.response== 1(DNS response)

dns

ip.proto == 25

=========

Common Protocol Type Field Values

1 ICMP

2 IGMP

6 TCP

17 UDP

47 GRE

88 EIGRP

89 OSPF

112 VRRP

So much for today, hopefully helpful to readers. Learn to apply, practice more and summarize more.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.