Wireshark capture filter设置

常见语法

过滤器支持的函数:

过滤器的语言还有下面几个函数:
upper(string-field)-把字符串转换成大写
lower(string-field)-把字符串转换成小写

upper((和lower((在处理大小写敏感的字符串比较时很有用。例如:
upper(ncp.nds_stream_name) contains "MACRO"
lower(mount.dump.hostname) =="angel"

协议字段类型

每个协议的字段都有规定的类型。这些类型是:
unsigned integer               无符号整数(8比特、16比特、24比特、32比特)
signed integer                   有符号整数(8比特、16比特、24比特、32比特)
Boolean                             布尔值
Ethernet address               以太网地址(6字节)
Byte array                          字节数组
IPv4 address                      IPv4地址
IPv6 address                      IPv6地址
IPX network number           IPX网络地址
Text string                          文本串
Double-precision floating point number          双精度浮点值

三种进制表示方法:

frame.pkt_len>10
frame.pkt_len>012
frame.pkt_len>0xa
布尔值用1 0表示

以太网地址

eth.dst        eq        ff:ff:ff:ff:ff:ff
aim.data == 0.1.0.d
fddi.src == aa-aa-aa-aa-aa-aa
echo.data == 7a
ipv4和主机名

 ip.dst eq www.mit.edu 
 ip.src == 192.168.1.1

示例:

获取from或to ip 111.111.111.111

host 172.18.5.4

获取from或to ip 段

net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0

from ip段

src net 192.168.0.0/24  or src net 192.168.0.0 mask 255.255.255.0

to ip地址段

dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0

指定port数据

port 53    //53是dns

port段

(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

tcp portrange 1501-1549

指定协议:如:Ethernet type EAPOL,ip

ether proto 0x888e
ip

目标地址不是某个ethernet

not ether dst 01:80:c2:00:00:0e

除去广播数据

not broadcast and not multicast

显示http 80 get数据

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420   GET 16进制是0x474554


位过滤

 
  
IP Filters
ip[0] & 0x0f low nibble: header length in 4octet words. should be 5
ip[1] type of service/QoS/DiffServ
ip[2:2] total length of datagram in octets
ip[4:2] IP ID number
ip[6] & 0x80 reserved bit (possibly used for ECN)
ip[6] & 0x40 DF bit
ip[6] & 0x20 MF bit
ip[6:2] & 0x1fff fragment offset (number of 8octet blocks)
ip[8] ttl
ip[9] protocol
ip[10:2] header checksum
ip[12:4] source IP
ip[16:4] destination IP
Samples  
(ip[12:4] = ip[16:4]) Src IP = Dest IP (land attack)
ip[0] & 0xf0 high nibble: IP version. almost always 4
(ip[0] & 0xf0 != 0x40) IP versions !=4
(ip[0:1] & 0x0f > 5) IP with options set
(ip[19] = 0xff) Broadcasts to x.x.x.255
(ip[19] = 0x00) Broadcasts to x.x.x.0
(ip and ip[1] & 0xfc == 0xb8) search for EF in DSCP
(ip and ip[1] & 0xfc == 0x28) search for AF11 in DSCP
(ip and ip[1] & 0xfc != 0x00) search for DCSP Packets != 0
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0) initial fragments
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0) intervening fragments
(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0) terminal fragments
(ip[0] & 0x0f) != 5 has ip options (or is truncated, or is just some sort of freak...)
ip[8] < 5 short TTL value
ip[6] = 32 MF set
iip[2:2] > 999 IP Packet greater then 999
ICMP Filters
icmp[0] type
icmp[1] code
icmp[2:2] checksum
Samples  
icmp[0]=0x# all Packets with ICMP Type
icmp[0]=0x# and icmp[1]=0x# all Packets with ICMP Type X and Code = Y
icmp[0]=8 ICMP Request Messages
icmp[8]=0 ICMP Request Replay
icmp[0]=0x11 ICMP Address Mask Request
icmp[0]=0x12 ICMP Address Mask Replay
icmp[0]=11 and icmp[1]=0 ICMP Time Exeedet
icmp[0]=3 and icmp[1]=4 ICMP Time Exeedet
icmp[0]=8 and ip[2:2] > 64 Large ICMP Packets
TCP Filters
tcp[0:2] source port
tcp[2:2] destination port
tcp[4:4] sequence number
tcp[8:4] ack number
tcp[12] header length
tcp[13] tcp flags
 
---- --S-       0000 0010 = 0x02   normal syn
 
---A --S-       0001 0010 = 0x12   normal syn-ack
 
---A ----       0001 0000 = 0x10   normal ack
 
--UA P---       0011 1000 = 0x38   psh-urg-ack. interactive stuff like ssh
 
---A -R--       0001 0100 = 0x14   rst-ack. it happens.
 
---- --SF       0000 0011 = 0x03   syn-fin scan
 
--U- P--F       0010 1001 = 0x29   urg-psh-fin. nmap fingerprint packet
 
-Y-- ----       0100 0000 = 0x40   anything >= 0x40 has a reserved bit set
 
XY-- ----       1100 0000 = 0xC0   both reserved bits set
 
XYUA PRSF       1111 1111 = 0xFF   FULL_XMAS scan
tcp[14:2] window size
tcp[16:2] checksumt
tcp[18:2] urgent pointer
Samples  
tcp[13] = 0x02 is SYN. nothing else.
(tcp[13] & 0x02) != 0 contains SYN. we don't care what else...
(tcp[13] & 0x03) = 3 is some kind of SYN-FIN. realy Bad
  winnuke (not tested)
tcp[20:4] = 0x47455420 GET in request

UDP Filters
udp[0:2] source port
udp[2:2] destination port
udp[4:2] datagram length
udp[6:2] UDP checksum

protocols
ip[9] == 8 EGP
ip[9] == 9 IGP
ip[9] == 88 EIRGP
ip[9] == 50 ESP
ip[9] == 51 AH
ip[9] == 89 OSPF
ip[9] == 124 ISIS
  other, see /etc/protocols

Routing Protocols
(udp and port 520) or (host 224.0.0.9) RIP 1 + 2
tcp and port 179 BGP
ip[9] == 8 EGP
ip[9] == 9 IGP
ip[9] == 88 EIRGP
ip[9] == 89 OSPF
ip[9] == 124 ISIS

ether Filters
ether[20:2] == 0x2000 CDP pakets
ether[12:2] == 0x0806 ARP pakets

IPv6
ip6 filters native IPv6 traffic (including ICMPv6)
icmp6 filters native ICMPv6 traffic
proto ipv6 filters tunneled IPv6-in-IPv4 traffic
TCP  
ip6 and (ip6[6] == 0x06) IPv6 TCP
ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02) IPv6 TCP Syn
ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x10) IPv6 TCP ACK
ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x12) IPv6 TCP Syn/ACK
UDP  
ip6 and (ip6[6] == 0x11) IPv6 TCP
ICMP  
(ip6[6] == 0x3a) ICMP v6
(ip6[6] == 0x3a) and (ip6[40] == 0x01) ipv6 and type 1 Dest Unreachable
(ip6[6] == 0x3a) and (ip6[40] == 0x02) ipv6 and type 2 Packet too big
(ip6[6] == 0x3a) and (ip6[40] == 0x03) ipv6 and type 3 Time Exeedet
(ip6[6] == 0x3a) and (ip6[40] == 0x04) ipv6 and type 4 Parameter Problem
(ip6[6] == 0x3a) and (ip6[40] == 0x80) ipv6 and type 128 Echo Request
(ip6[6] == 0x3a) and (ip6[40] == 0x81) ipv6 and type 129 Echo Reply
(ip6[6] == 0x3a) and (ip6[40] == 0x86) ipv6 and type 133 Router Solicitation
(ip6[6] == 0x3a) and (ip6[40] == 0x87) ipv6 and type 134 Router Advertisement
(ip6[6] == 0x3a) and (ip6[40] == 0x88) ipv6 and type 135 Neighbor Solicitation
(ip6[6] == 0x3a) and (ip6[40] == 0x89) ipv6 and type 136 Neighbor Advertisement

MY Filters
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast: 


你可能感兴趣的:(运维-网络与软件安全)