[Exclusive] Wireshark usage and filtering rules


  •     SPOTO
  • |
  •   Posted on: 2019-05-14
  • |
  •   Views: 181
  • |
  •   Category:
  • CCIE Written

[Exclusive] Wireshark usage and filtering rules

exclusive! today I will share Wireshark usage and filtering rules with you.

 

1 filter IP

example:

 

Ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107

 

Or ip.addr eq 192.168.1.107 // can display source IP and destination IP

 

Ip.src eq 10.175.168.182

 

Tip: In the Filter edit box, when the filter rules are included, if the syntax is incorrect, the box will be red, if it is correct, it will be green.

 

 

 

2 filter port

example:

 

Tcp.port eq 80 // Shows whether the port is source or target

 

Tcp.port == 80

 

Tcp.port eq 2722

 

Tcp.port eq 80 or udp.port eq 80

 

Tcp.dstport == 80// Only the target port 80 of the tcp protocol is displayed.

 

Tcp.srcport == 80 // Only the source port of the tcp protocol is displayed.

 

Udp.port eq 15000

 

 

 

Filter port range

 

Tcp.port >= 1 and tcp.port <= 80

 

 

 

3 filter protocol

Examples: tcp, udp, arp, icmp, http, smtp, ftp, dns, msnms, ip, ssl, oicq, bootp, etc.

 

 

4 filter MAC

Filtered by net head

 

Eth.dst == A0:00:00:04:C5:84 // Filter the target mac

 

Eth.src eq A0:00:00:04:C5:84 // Filter to mac

 

Eth.dst==A0:00:00:04:C5:84

 

Eth.dst==A0-00-00-04-C5-84

 

Eth.addr eq A0:00:00:04:C5:84 // Filter source MAC and destination MAC are equal to A0:00:00:04:C5:84

 

 

 

Less than less than < lt

 

Less than or equal to le

 

Equal to eq

 

Greater than gt

 

Greater than or equal to ge

 

Not waiting for ne

 

 

 

5 pack length filter

example:

 

Udp.length == 26 This length refers to the fixed length of udp itself plus the sum of the packets below udp

 

Tcp.len >= 7 refers to the ip packet (the data below tcp), excluding tcp itself

 

Ip.len == 94 In addition to the fixed length of the Ethernet header 14, the other is ip.len, from ip itself to the last

 

Frame.len == 119 the entire packet length, starting from eth to the end

 

Eth —> ip or arp —> tcp or udp —> data

 

 

 

6 http mode filtering

example:

 

Http.request.method == "GET"

 

Http.request.method == "POST"

 

Http.request.uri == "/img/logo-edu.gif"

 

Http contains "GET"

 

Http contains "HTTP/1."

 

 

 

// GET package

 

Http.request.method == "GET" && http contains "Host: "

 

Http.request.method == "GET" && http contains "User-Agent: "

 

// POST package

 

Http.request.method == "POST" && http contains "Host:"

 

Http.request.method == "POST" && http contains "User-Agent: "

 

// response package

 

Http contains "HTTP/1.1 200 OK" && http contains "Content-Type: "

 

Http contains "HTTP/1.0 200 OK" && http contains "Content-Type: "

 

Must contain the following

 

Content-Type:

 

 

 

7 TCP parameter filtering

Tcp.flags displays the packet containing the TCP flag.

 

Tcp.flags.syn == 0x02 Displays the packet containing the TCP SYN flag.

 

Tcp.window_size == 0 && tcp.flags.reset != 1

 

 

 

8 packs of content filtering

----------------------------------------------

Tcp[20] means starting from 20, taking 1 character

 

Tcp[20:] means starting from 20, taking more than 1 character

----------------------------------------------

 

Tcp[20:8] means starting from 20, taking 8 characters

 

Tcp[offset,n]

 

Udp[8:3]==81:60:03 // Offset 8 bytes, then take 3 numbers, is it equal to the data after ==?

 

Udp[8:1]==32 If I guess there is nothing wrong, it should be udp[offset: intercept the number]=nValue

 

Eth.addr[0:3]==00:06:5B

 

example:

 

Determine whether the first three of the packets below upd are equal to 0x20 0x21 0x22

 

We all know that udp has a fixed length of 8

 

Udp[8:3]==20:21:22

 

Determine whether the first three packets of tcp are equal to 0x20 0x21 0x22

 

In general, tcp is 20 in length, but there are times when it is not 20.

 

Tcp[8:3]==20:21:22

 

If you want to get the most accurate, you should know the length of tcp first.

 

Matches and contains syntax

 

Ip.src==192.168.1.107 and udp[8:5] matches "\\x02\\x12\\x21\\x00\\x22" ip.src==192.168.1.107 and udp contains 02:12:21: 00:22

 

Ip.src==192.168.1.107 and tcp contains "GET"

 

Udp contains 7c:7c:7d:7d matches UDP packets with 0x7c7c7d7d in the payload, not necessarily matching from the first byte.

 

 

 

9 DHCP

 

Note: The retrieval rule of the DHCP protocol is not dhcp/DHCP, but bootp

 

Take the example of forging a DHCP server and introduce the usage of Wireshark. Add a filter rule to the display filter to display all information that is not from the DHCP server and bootp.type==0x02(Offer/Ack/NAK):

 

Bootp.type==0x02 and not ip.src==192.168.1.1

 

 

 

Visit SPOTO Service Support, get quick and easy feedback on issues related to Cisco services, and communicate with Cisco service support experts.

 

More you may be interested:

 

Information about CISCO CERTIFICATION EXAM latest dumps this week

 

Huawei device configuration QOS to limit the intranet IP address

 

How to maintain a good learning state in CISCO CCIE exam?

Comments:


Start the discussion...


To Leave a Comment or reply to posts please log in