Wireshark Filter

引用官方网站http://wiki.wireshark.org/CaptureFilters

Capture filters:

Capture only traffic to or from IP address 172.18.5.4:

• host 172.18.5.4

Capture traffic to or from a range of IP addresses:

• net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0

Capture traffic from a range of IP addresses:

• src net 192.168.0.0/24  or src net 192.168.0.0 mask 255.255.255.0

Capture traffic to a range of IP addresses:

• dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0

Capture only DNS (port 53) traffic:

• port 53

Capture non-HTTP and non-SMTP traffic on your server (both are equivalent):

• host www.example.com and not (port 80 or port 25)

  host www.example.com and not port 80 and not port 25

Capture except all ARP and DNS traffic:

• port not 53 and not arp

Capture traffic within a range of ports

• (tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

or, with newer versions of libpcap (0.9.1 and later):

• tcp portrange 1501-1549

Capture only Ethernet type EAPOL:

• ether proto 0x888e

Reject ethernet frames towards the Link Layer Discovery Protocol Multicast group:

• not ether dst 01:80:c2:00:00:0e

Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP:

• ip

Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:

• not broadcast and not multicast

Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the [http://seclists.org/tcpdump/2004/q4/95|tcpdump-workers mailing list].

• port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420

Useful Filters

Blaster and Welchia are RPC worms. (Does anyone have better links, i.e. ones that describe or show the actual payload?)

Blaster worm:

• dst port 135 and tcp port 135 and ip[2:2]==48

Welchia worm:

• icmp[icmptype]==icmp-echo and ip[2:2]==92 and icmp[8:4]==0xAAAAAAAA

  The filter looks for an icmp echo request that is 92 bytes long and has an icmp payload that begins with 4 bytes of A's (hex). It is the signature of the welchia worm just before it tries to compromise a system.

Many worms try to spread by contacting other hosts on ports 135, 445, or 1433. This filter is independent of the specific worm instead it looks for SYN packets originating from a local network on those specific ports. Please change the network filter to reflect your own network.

dst port 135 or dst port 445 or dst port 1433  and tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) = 0 and src net 192.168.0.0/24

Default Capture Filters

Wireshark tries to determine if it's running remotely (e.g. via SSH or Remote Desktop), and if so sets a default capture filter that should block out the remote session traffic. It does this by checking environment variables in the following order:

Environment Variable	Resultant Filter
SSH_CONNECTION	not (tcp port srcport and addr_family host srchost and tcp port dstport and addr_family host dsthost)
SSH_CLIENT	not (tcp port srcport and addr_family host srchost and tcp port dstport)
REMOTEHOST	not addr_family host host
DISPLAY	not addr_family host host
CLIENTNAME	not tcp port 3389

(addr_family will either be "ip" or "ip6")

Further Information

• Filtering while capturing from the Wireshark User's Guide

• The tcpdump man page includes a comprehensive capture filter reference

• The Mike Horn Tutorial gives a good introduction to capture filters

• Capture and display filter Cheat sheets

• packetlevel.ch Filter examples

Discussion

BTW, the Symantec page says that Blaster probes 135/tcp, 4444/tcp, and 69/udp. Would

 (tcp dst port 135 or tcp dst port 4444 or udp dst port 69) and ip[2:2]==48

• be a better filter? - Gerald Combs

Q: What is a good filter for just capturing SIP and RTP packets?

A: On most systems, for SIP traffic to the standard SIP port 5060,

tcp port sip

should capture TCP traffic to and from that port,

udp port sip

should capture UDP traffic to and from that port, and

port sip

should capture both TCP and UDP traffic to and from that port (if one of those filters gets "parse error", try using 5060 instead of sip). For SIP traffic to and from other ports, use that port number rather than sip.

In most cases RTP port numbers are dynamically assigned. You can use something like the following which limits the capture to UDP, even source and destination ports, a valid RTP version, and small packets. It will capture any non-RTP traffic that happens to match the filter (such as DNS) but it will capture all RTP packets in many environments.

udp[1] & 1 != 1 && udp[3] & 1 != 1 && udp[8] & 0x80 == 0x80 && length < 250

Capture WLAN traffic without Beacons:

link[0] != 0x80

Capture all traffic originating (source) in the IP range 192.168.XXX.XXX:

src net 192.168

ip
IP
arp
arp
tcp
tcp
udp
udp
icmp
icmp
ip multicast
IP Multicast
ether multicast
Ethernet Multicast
IP Filters
ip[0] & 0x0f
low nibble: header length in 4octet words. should be 5
ip[1]
type of service/QoS/DiffServ
ip[2:2]
total length of datagram in octets
ip[4:2]
IP ID number
ip[6] & 0x80
reserved bit (possibly used for ECN)
ip[6] & 0x40
DF bit
ip[6] & 0x20
MF bit
ip[6:2] & 0x1fff
fragment offset (number of 8octet blocks)
ip[8]
ttl
ip[9]
protocol
ip[10:2]
header checksum
ip[12:4]
source IP
ip[16:4]
destination IP
Samples
(ip[12:4] = ip[16:4])
Src IP = Dest IP (land attack)
ip[0] & 0xf0
high nibble: IP version. almost always 4
(ip[0] & 0xf0 != 0x40)
IP versions !=4
(ip[0:1] & 0x0f > 5)
IP with options set
(ip[19] = 0xff)
Broadcasts to x.x.x.255
(ip[19] = 0x00)
Broadcasts to x.x.x.0
(ip and ip[1] & 0xfc == 0xb8)
search for EF in DSCP
(ip and ip[1] & 0xfc == 0x28)
search for AF11 in DSCP
(ip and ip[1] & 0xfc != 0x00)
search for DCSP Packets != 0
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0)
initial fragments
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0)
intervening fragments
(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)
terminal fragments
(ip[0] & 0x0f) != 5
has ip options (or is truncated, or is just some sort of freak...)
ip[8] < 5
short TTL value
ip[6] = 32
MF set
iip[2:2] > 999
IP Packet greater then 999
ICMP Filters
icmp[0]
type
icmp[1]
code
icmp[2:2]
checksum
Samples
icmp[0]=0x#
all Packets with ICMP Type 
icmp[0]=0x# and icmp[1]=0x#
all Packets with ICMP Type X and Code = Y 
icmp[0]=8
ICMP Request Messages
icmp[8]=0
ICMP Request Replay
icmp[0]=0x11
ICMP Address Mask Request
icmp[0]=0x12
ICMP Address Mask Replay
icmp[0]=11 and icmp[1]=0
ICMP Time Exeedet
icmp[0]=3 and icmp[1]=4
ICMP Time Exeedet
icmp[0]=8 and ip[2:2] > 64
Large ICMP Packets
TCP Filters
tcp[0:2]
source port
tcp[2:2]
destination port
tcp[4:4]
sequence number
tcp[8:4]
ack number
tcp[12]
header length
tcp[13]
tcp flags
---- --S-       0000 0010 = 0x02   normal syn
---A --S-       0001 0010 = 0x12   normal syn-ack
---A ----       0001 0000 = 0x10   normal ack
--UA P---       0011 1000 = 0x38   psh-urg-ack. interactive stuff like ssh
---A -R--       0001 0100 = 0x14   rst-ack. it happens.
---- --SF       0000 0011 = 0x03   syn-fin scan
--U- P--F       0010 1001 = 0x29   urg-psh-fin. nmap fingerprint packet
-Y-- ----       0100 0000 = 0x40   anything >= 0x40 has a reserved bit set
XY-- ----       1100 0000 = 0xC0   both reserved bits set
XYUA PRSF       1111 1111 = 0xFF   FULL_XMAS scan
tcp[14:2]
window size
tcp[16:2]
checksumt
tcp[18:2]
urgent pointer
Samples
tcp[13] = 0x02
is SYN. nothing else.
(tcp[13] & 0x02) != 0
contains SYN. we don't care what else...
(tcp[13] & 0x03) = 3
is some kind of SYN-FIN. realy Bad
winnuke (not tested)
tcp[20:4] = 0x47455420
GET in request
UDP Filters
udp[0:2]
source port
udp[2:2]
destination port
udp[4:2]
datagram length
udp[6:2]
UDP checksum
protocols
ip[9] == 8
EGP
ip[9] == 9
IGP
ip[9] == 88
EIRGP
ip[9] == 50
ESP
ip[9] == 51
AH
ip[9] == 89
OSPF
ip[9] == 124
ISIS
other, see /etc/protocols
Routing Protocols
(udp and port 520) or (host 224.0.0.9)
RIP 1 + 2
tcp and port 179
BGP
ip[9] == 8
EGP
ip[9] == 9
IGP
ip[9] == 88
EIRGP
ip[9] == 89
OSPF
ip[9] == 124
ISIS
ether Filters
ether[20:2] == 0x2000
CDP pakets
ether[12:2] == 0x0806
ARP pakets
IPv6
ip6
filters native IPv6 traffic (including ICMPv6)
icmp6
filters native ICMPv6 traffic
proto ipv6
filters tunneled IPv6-in-IPv4 traffic
TCP
ip6 and (ip6[6] == 0x06)
IPv6 TCP
ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02)
IPv6 TCP Syn
ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x10)
IPv6 TCP ACK
ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x12)
IPv6 TCP Syn/ACK
UDP
ip6 and (ip6[6] == 0x11)
IPv6 TCP
ICMP
(ip6[6] == 0x3a)
ICMP v6
(ip6[6] == 0x3a) and (ip6[40] == 0x01)
ipv6 and type 1 Dest Unreachable
(ip6[6] == 0x3a) and (ip6[40] == 0x02)
ipv6 and type 2 Packet too big
(ip6[6] == 0x3a) and (ip6[40] == 0x03)
ipv6 and type 3 Time Exeedet
(ip6[6] == 0x3a) and (ip6[40] == 0x04)
ipv6 and type 4 Parameter Problem
(ip6[6] == 0x3a) and (ip6[40] == 0x80)
ipv6 and type 128 Echo Request
(ip6[6] == 0x3a) and (ip6[40] == 0x81)
ipv6 and type 129 Echo Reply
(ip6[6] == 0x3a) and (ip6[40] == 0x86)
ipv6 and type 133 Router Solicitation
(ip6[6] == 0x3a) and (ip6[40] == 0x87)
ipv6 and type 134 Router Advertisement
(ip6[6] == 0x3a) and (ip6[40] == 0x88)
ipv6 and type 135 Neighbor Solicitation
(ip6[6] == 0x3a) and (ip6[40] == 0x89)
ipv6 and type 136 Neighbor Advertisement
MY Filters
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast: 
More Infos
 byte_offsets.txt
 tcpdump.filters