zoukankan      html  css  js  c++  java
  • Wireshark Display fliters

    Show only SMTP (port 25) and ICMP traffic:

    •  tcp.port eq 25 or icmp

    Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:

    • ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

    TCP buffer full -- Source is instructing Destination to stop sending data

    •  tcp.window_size == 0 && tcp.flags.reset != 1

    Filter on Windows -- Filter out noise, while watching Windows Client - DC exchanges

    •  smb || nbns || dcerpc || nbss || dns

    Sasser worm: --What sasser really did--

    •   ls_ads.opnum==0x09

    Match packets containing the (arbitrary) 3-byte sequence 0x81, 0x60, 0x03 at the beginning of the UDP payload, skipping the 8-byte UDP header. Note that the values for the byte sequence implicitly are in hexadecimal only. (Useful for matching homegrown packet protocols.)

    •   udp[8:3]==81:60:03

    The "slice" feature is also useful to filter on the vendor identifier part (OUI) of the MAC address, see the Ethernet page for details. Thus you may restrict the display to only packets from a specific device manufacturer. E.g. for DELL machines only:

    •   eth.addr[0:3]==00:06:5B

    It is also possible to search for characters appearing anywhere in a field or protocol by using the matches operator.

    Match packets that contains the 3-byte sequence 0x81, 0x60, 0x03 anywhere in the UDP header or payload:

    •   udp contains 81:60:03

    Match packets where SIP To-header contains the string "a1762" anywhere in the header:

    •   sip.To contains "a1762"

    The matches operator makes it possible to search for text in string fields and byte sequences using a regular expression, using Perl regular expression syntax. Note: Wireshark needs to be built with libpcre in order to be able to use the matches operator.

    Match HTTP requests where the last characters in the uri are the characters "gl=se":

    •   http.request.uri matches "gl=se$"

    Note: The $ character is a PCRE punctuation character that matches the end of a string, in this case the end of http.request.uri field.

    Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:

      ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip

    Gotchas

    Some filter fields match against multiple protocol fields. For example, "ip.addr" matches against both the IP source and destination addresses in the IP header. The same is true for "tcp.port", "udp.port", "eth.addr", and others. It's important to note that

    •  ip.addr == 10.43.54.65
      is equivalent to
       ip.src == 10.43.54.65 or ip.dst == 10.43.54.65

    This can be counterintuitive in some cases. Suppose we want to filter out any traffic to or from 10.43.54.65. We might try the following:

    •  ip.addr != 10.43.54.65
      which is equivalent to
       ip.src != 10.43.54.65 or ip.dst != 10.43.54.65

    This translates to "pass all traffic except for traffic with a source IPv4 address of 10.43.54.65 and a destination IPv4 address of 10.43.54.65", which isn't what we wanted.

    Instead we need to negate the expression, like so:

    •  ! ( ip.addr == 10.43.54.65 )
      which is equivalent to
       ! (ip.src == 10.43.54.65 or ip.dst == 10.43.54.65)

    This translates to "pass any traffic except with a source IPv4 address of 10.43.54.65 or a destination IPv4 address of 10.43.54.65", which is what we wanted.

  • 相关阅读:
    站立会议08
    站立会议07
    站立会议06
    站立会议05
    SOA架构设计的案例分析
    java实现根据高德地图API接口进行地址位置解析,将地址转化为经纬度
    java实现根据起点终点和日期查询去哪儿网的火车车次和火车站点信息
    Cocos2d切换场景出现的问题-error C2653: “***”不是类或命名空间名称
    云时代架构之点融支付系统架构的演进
    云时代架构之百度万人协同规模下的代码管理架构演进
  • 原文地址:https://www.cnblogs.com/lovemo1314/p/1854135.html
Copyright © 2011-2022 走看看