1. 打开 wireShark 过滤显示 协议
比如显示arp协议
过滤栏输入arp即可
支持的协议类型
TCP
UDP
HTTP
FTP
ICMP
SMTP
等等
2. 过滤ip地址
ip.addr eq 10.24.13.6 or ip.addr == 10.24.13.6 或者是区分 源地址或者是目标地址 ip.src == 10.24.13.6 或者目标地址 ip.dst eq 10.24.13.6
3. 过滤端口 以及增加 and 条件等.
tcp.port == 80 || ip.src eq 10.24.13.97
4. mac地址过滤
eth.dst
eth.src
eth.addr
5. http 方法过滤
http.request.method == "GET" http.request.method == "POST" http.request.uri == "/img/logo-edu.gif" http contains "GET" http contains "HTTP/1." // GET包 http.request.method == "GET" && http contains "Host: " http.request.method == "GET" && http contains "User-Agent: " // POST包 http.request.method == "POST" && http contains "Host: " http.request.method == "POST" && http contains "User-Agent: " // 响应包 http contains "HTTP/1.1 200 OK" && http contains "Content-Type: " http contains "HTTP/1.0 200 OK" && http contains "Content-Type: "