Shulou(Shulou.com)06/01 Report--

In the network, we usually do not need to capture all the packets, we often only need to capture the packets we want, such as: we only need to capture tcp packets or arp packets.

When we only need to capture tcp packets, after selecting the network connection (network card), do not select start, but select option, and then enter tcp in the capture filter column in the pop-up window, so that we wireshark will only capture tcp type packets.

You can also use wireshark's built-in filtering rules to limit the capture of packets, just click capture filter, and then pop up the window, select the appropriate rules. We can also create our own new rules into the built-in rules, so that the next time we need to do something similar, we don't have to write the rules manually, but we can just choose from the built-in rules.

Once you have selected or written the rules, you can capture the appropriate packets by clicking the start button.

Capture filter rules use BPF syntax, so to use filters flexibly, it is key to master BPF syntax. Filters created using BPF syntax are called expressions, and each expression contains one or more primitives, each primitive containing one or more qualifiers followed by an ID name or number, such as: dst host 192.168.1.1 && tcp port 80.

This example captures tcp traffic packets destined for port 80 with ip address 192.168.1.1 on the destination host.

dst, host, tcp and port are qualifiers, 192.168.1.1 and 80 are IDs,&& is an operator, the part before && is a primitive, i.e. dst host 192.168.1.1, and the part after && is another primitive, i.e. tcp port 80.

Determiners include:

Type indicates the meaning of the name or number host, net, portDir indicates whether the transmission direction is to or from the name or number src, dstProto qualifies the protocol to be matched ether, ip, tcp, udp, http, ftp, icmp, etc.

We can also capture filtering protocol domains, such as the expression icmp[0]==8|| icmp[0]==0 means that we only capture icmp packets for echo requests (type 8) and echo replies (type 0).

Common capture filters:

tcp[13]&32==32 TCP packets with URG bit set tcp[13]&16==16 TCP packets with ACK bit set tcp[13]&8==8 TCP packets with PSH bit set tcp[13]&4==4 TCP packets with RST bit set tcp[13]&2==2 TCP packets with SYN bit set tcp[13]&1==1 TCP packets with FIN bit set tcp[13]==18TCP SYN-ACK packet ether host 00:00:00:00:00(MAC address) Traffic to or from this MAC address! ether host 00:00:00:00:00:00(MAC address) No traffic to or from this MAC address broadcast only icmpICMP traffic tcmp[0:2]== 0x0301 ICMP destination unreachable, host unreachable ip only IPv4 traffic ip6 only IPv6 traffic udp only UDP traffic

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.