Shulou(Shulou.com)06/01 Report--

First, grab bag filter

Capture filter (CaptureFilters): used to determine what kind of information is recorded in the capture result. Need to be set before you start capturing

Display filter (DisplayFilters): make a detailed search in the capture results. They can modify it at will after getting the capture result.

The capture filter is the first layer of filter that data passes through. It is used to control the amount of data captured to avoid generating excessive log files.

The display filter is a more powerful (complex) filter. It allows you to quickly and accurately find the records you need in the log file

Syntax: Protocol Direction Host (s) Value Logical Operations Other expression

Example: tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128

Protocols: ether, ip, arp, rarp, tcp and udp, etc. (no specific protocols are specified, and all protocols are crawled by default)

Direction: src, dst, src and dst (source or destination is not specified, default is "src or dst" as keyword)

Type: net, port, host, portrange (this value is not specified, default is "host" keyword)

Logical operator: not is not! , and and |, or or &

Src portrange 2000-2500 displays packets from UDP or TCP with port numbers in the range of 2000 to 2500

Operation steps of grab bag filter

Second, use the display filter when the traffic is low.

Syntax: Protocol.String 1.String 2 Comparisonoperator Value LogicalOperations

Example: ip.src.addr = = 10.1.1.1 and

= = equal to

! = not equal to

> = greater than or equal to

= 1 and tcp.port = 7 refers to the ip packet (the piece of data under the tcp), excluding the tcp itself

Ip.len = = 94 except for the fixed length of the Ethernet header 14, all are considered ip.len, that is, from the ip itself to the end

Frame.len = = 119entire packet length, from eth to the end

Eth-> ip or arp-> tcp or udp-> data

5. Http mode filtering

Http.request.method = = GET

Http.request.method = = POST

Http.request.uri = "/ img/logo-edu.gif"

Http contains "GET"

Http contains "HTTP/1."

6 、 DHCP

Take finding a fake DHCP server as an example, add filter rules to the display filter

Displays all information that is not from the DHCP server and bootp.type==0x02 (Offer/Ack/NAK):

Bootp.type==0x02 and not ip.src==192.168.1.1

7. View DNS traffic

Dns.flags==0x0100

Https://wiki.wireshark.org/CaptureFilters

Network monitor: a network analyzer executed through a built-in program (this program is in the "administrator Tool" folder of the operating system installation disk, but it is not installed by default, so you need to add installation from the installation disk)

QQ file cannot be accessed

1. Get the interactive data IP and port range of the software through Network monitor.

(this Network monitor is similar to the wireshark package grabbing tool)

2. Import the data packet into wireshark for analysis

3. Filter packets through IP and port conditions.

4. Analyze the data flow according to the data flow.

This article does not cover all the functions of wireshark, only for the basics to provide ways to use it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.