Shulou(Shulou.com)06/01 Report--

We often catch a lot of data in Wireshark, so we need to use the filter Filter to filter out the packets we care about.

Wireshark provides two types of filters:

Capture filter: set the filter conditions before grabbing the packet, and then grab only the packets that meet the criteria.

Display filter: set filter criteria in the collection of captured packets, hide packets that you do not want to display, and display only packets that meet the criteria.

It is important to note that the syntax used by the two filters is completely different, and capture filters will be introduced in this blog post.

The main reason for using capture filters is performance. If you know that you don't need to analyze a certain type of traffic, you can simply use a capture filter to filter it out, saving the processor resources that will be used to capture these packets. Using capture filters is quite useful when dealing with large amounts of data.

The initial interface of the new version of Wireshark is very simple, mainly providing two functions: first set the capture filter, and then select the network card responsible for grabbing the packet. This shows the importance of capture filters.

For example, if we want to capture only the communication with port 80, we can set the filter rule "port 80".

The capture filter is applied to Winpcap and uses the Berkeley Packet Filter (BPF) syntax, whose syntax rules are as follows:

Protocol direction type data

Protocol, possible values: ether, ip, arp, tcp, udp, http, ftp... If no specific protocol is specified, all supported protocols are used by default

Direction, possible values: src, dst, if no specific source or destination is specified, "src or dst" is used as the keyword by default. For example, "host 10.2.2.2" is the same as "src or dst host 10.2.2.2".

Type, possible values: net, port, host, if this value is not specified, the "host" keyword is used by default. For example, "src 10.1.1.1" is the same as "src host 10.1.1.1".

We can also use the following three logical operators to combine expressions to create more advanced expressions.

Logic and & &, logic or |, logic is not!

For example, in the following expression, only packets with source address 192.168.0.10 and source or destination port 80 are captured.

Src 192.168.0.10 & & port 80

Application example

If we want to crawl packets from a particular host or device, we can set filtering rules based on the IP address or MAC address of the device.

For example, only packets with IP address 192.168.0.10 are crawled.

Host 192.168.0.10

If you consider that the IP address of the host may change, you can specify the MAC address to filter.

Ether host 00-50-56-C0-00-01

You can also filter based on the flow direction of the data:

Src host 192.168.0.10 / / packets sent from 192.168.0.10

Dst host 192.168.0.10 / packets destined for 192.168.0.10

Ether src host 00-50-56-C0-00-01 / / packets sent from 00-50-56-C0-00-01

Ether dst host 00-50-56-C0-00-01 / packets destined for 00-50-56-C0-00-01

It is important to note that host is the default option in expressions, so the above expressions express the same meaning with or without host.

For example, filter through the port:

Port 8080 / / only captures traffic on port 8080

! port 8080 / / captures all traffic outside port 8080

Dst port 8080 / / only captures traffic to port 8080

To filter by protocol or communication:

Icmp / / capture only ICMP traffic

! broadcast / / Don't grab the broadcast package

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.