Wireshark 基础 | 显示过滤篇

目录

简介

「Wireshark 显示过滤」（display filter），即通过过滤筛选，需要显示哪些特定的数据包。

作用

显示过滤器允许将注意力集中在感兴趣的数据包上，同时隐藏当前不感兴趣的数据包。

允许只显示数据包基于：
● 协议
● 字段是否存在
● 字段值
● 字段间的比较
● …

语言

显示过滤器语言由 Wireshark 自身提供，通过不同的过滤表达式可以能够精确地控制显示哪些数据包。

建议

学习资源详见官方文档，包括 Wiki DisplayFilters 和 Display Filters 语法 。

语法

过滤器表达式

[not] primitive [and|or [not] primitive ...]

过滤器表达式由一个或多个原语组成

[x] x为可选
x|y 选x或y
x为必选
xyz xyz为关键字，必需
and（&&）、or（||）、not（!） 代表与、或、非

原语格式

格式

Protocol[.string1.string2...stringN] [Comparison operator] [Value]

protocol

eth、ip、arp、tcp、udp 等。

支持的协议，View → Internals → Supported Protocols

string

addr、port、flags、flags.syn、len 等。

示例

eth.addr == ff:ff:ff:ff:ff:ff
tcp.port == 80
tcp.flags
tcp.flags.syn == 1
ip.len <= 60
...

comparison operator

eq(==)、ne(!=)、gt(>)、lt(<)、ge(>=)、le(<=)、contains、matches(~)、bitiwise_and(&)

示例

ip.src == 10.0.0.5
ip.src != 10.0.0.5
frame.len > 10
frame.len < 128
frame.len ge 0x100
frame.len <= 0x20
udp contains 81:60:03
http.host matches "ace\.(org|com|net)"
tcp.flags & 0x02
...

!= 注意事项

ip.addr == 1.2.3.4，显示所有包括 IP 地址 1.2.3.4 的数据包

ip.addr != 1.2.3.4，显示所有不包括 IP 地址 1.2.3.4 的数据包？语法错误！对于源或目的 IP 地址为 1.2.3.4 的包，该表达式也适用。因为 ip.addr != 1.2.3.4 表达式被理解为 “the packet contains a field named ip.addr with a value different from 1.2.3.4” 。IP 数据包包含源和目的 IP 地址，当两个地址中至少有一个与 1.2.3.4 不同时，表达式的值将为 true 。

!(ip.addr == 1.2.3.4)，显示所有不包括 I P地址 1.2.3.4 的数据包

版本 3.6.0 之后“a != b”已经完全等同于“!(a == b)”。

value

Unsigned integer
可以为 8，16，24，32 或 64 bit 。
十进制、八进制或十六进制表示整数。

示例

ip.len le 1500
ip.len le 02734
ip.len le 0x5dc

Signed integer
可以为8，16，24，32或64 bit。
十进制、八进制或十六进制表示整数。

Boolean
1（真）或 0（假）

无论值是真还是假，布尔值字段都会出现。

譬如 tcp.flags.syn ，syn 存在于所有包含该标志的 TCP 数据包中，无论 syn 标志是 0 还是 1 。

示例

tcp.flags.syn == 1

Ethernet address
6 字节，通过 ：，. ，或者 - 分隔。

示例

eth.dst == ff:ff:ff:ff:ff:ff
eth.dst == ff-ff-ff-ff-ff-ff
eth.dst == ffff.ffff.ffff

IPv4 address
示例

ip.addr == 192.168.0.1
ip.addr == 10.1.0.0/16

IPv6 address
示例

ipv6.addr == ::1
ipv6.addr == 2400:640:100:100::/64

Text string
示例

http.request.uri == "https://www.wireshark.org/" 

联合表达式

and（&&）

Logical AND

示例

ip.src==10.0.0.1 and tcp.flags.fin

or（||）

Logical OR

示例

ip.scr==10.0.0.1 or ip.src==192.168.1.1

xor（^^）

Logical XOR

示例

tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29

Wireshark 目前版本实际不支持

not（!）

Logical NOT

示例

not arp

[…]

Subsequence

示例

eth.src[0:3] == 00:00:83
前三个字节以 00:00:83 开始的以太网源 mac 地址

eth.src[1-2] == 00:83
第二到第三个字节为 00:83 的以太网源 mac 地址

eth.src[:4] == 00:00:83:00
前四个字节以 00:00:83:00 开始的以太网源 mac 地址

eth.src[4:] == 20:20
最后两个字节以 20:20 结尾的以太网源 mac 地址

eth.src[2] == 83
第 3 个字节为 83 的以太网源 mac 地址

eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83
复合范围

● Slice Operator，Wireshark 允许选择序列的子序列，在标签之后可以放置一对方括号 []，其中包含逗号分隔的范围说明符列表。

● 指定单个范围的格式：
n:m，n 是起始偏移量，m 是指定的范围的长度；
n-m，n 是起始偏移量，m 是结束偏移量；
:m，等同于 0:m ，从一个序列的起始偏移 m ；
n:，从偏移量 n 到序列的结尾；
n，等同于 n:1 ，从偏移量 n 开始偏移 1 。

● Wireshark 允许将单个范围串在逗号分隔的列表中，形成复合范围。

in

Set Membership

示例

tcp.port in {80 443 8080}
tcp 源或目的端口为 80、 443 或 8080 的数据包，等同于 tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
    
tcp.port in {443 4430..4434}
不等同于 tcp.port == 443 || (tcp.port >= 4430 && tcp.port <= 4434)
因为当任意字段匹配过滤器时都满足比较运算符，所以源端口为 56789 ，目的端口为 80 的数据包也会匹配第二个过滤器，因为 56789 >= 4430 && 80 <= 4434为真。

http.request.method in {"HEAD" "GET"}

ip.addr in {10.0.0.1..10.0.0.9 192.168.1.1..192.168.1.9}

frame.time_delta in {0.001 .. 0.002}
...

● Membership Operator，Wireshark 允许测试字段在一组值或字段中的成员关系。在字段名之后，使用 in 操作符，后跟大括号 {} 包围的集合项。
● 当任意字段匹配过滤器时都满足比较运算符。
● 成员资格操作符根据范围条件测试单个字段。
● 集合项不仅限于数字，其他类型也可以使用。

函数

显示过滤器语言有许多转换字段的函数。

upper

将字符串字段转换为大写。

lower

将字符串字段转换为小写。

示例

lower(http.server) contains "apache"
upper 和 lower 函数可以用来强制不区分大小写的匹配

len

返回字符串或字节字段的字节长度。

示例

len(http.request.uri) > 100
查找具有长请求 uri 的 HTTP 请求

len(ip.addr) == 4
len 函数生成的字符串长度是以字节为单位

count

返回在一个帧中出现字段的数目。

示例

count(ip.addr) > 2
通常一个IP帧只有两个地址(源和目的)，但是在 ICMP 错误或隧道的情况下，单个数据包可能包含更多的地址。

string

将非字符串字段转换为字符串。

示例

string(frame.number) matches "[13579]$"
匹配奇数帧序号

string(ip.dst) matches "^172\.(1[6-9]|2[0-9]|3[0-1])\..{1,3}\.255"
匹配以 255 结尾的 172.16-172.31 子网里的目的 IP
...

● string 函数将字段值转换为字符串，适用于操作符“matches”或“contains”。
● 整数字段被转换为十进制表示。
● 可以用于 IP/以太网地址(以及其他地址)，但不能用于字符串或字节字段。

表达式

对话框

Fidle name

协议字段树中选择一个协议字段。通过展开协议名，可以获得用于筛选该协议的字段名的列表。

TCP

tcp.ack，Acknowledgment number

tcp.analysis，SEQ/ACK analysis

tcp.checksum，Checksum

tcp.flags，Flags
...

IPv4

ip.addr，Source or Destination address

ip.checksum，Header checksum

ip.dst，Destination

ip.id，Identification
...

…

Relation

从可用关系列表中选择一个关系。

is present，一元关系，数据包中存在所选择字段即为真

==、!=、>、<、>=、<=、contains、matches、in，二元关系，输入一个值，可能还有一些范围信息

Value

在“值”文本框中输入适当的值。该值还将指示选择字段名的值的类型(如字符串)。

Predefined Values

一些协议字段具有预定义值可用。

Search

允许搜索完整或部分字段名称或描述。支持正则表达式。

Range

偏移:长度，一组整数或一组范围。

示例

Frame

frame

Frame

frame

frame.encap_type

Encapsulation type

frame.encap_type == 1，Ethernet

frame.time_delta

Time delta from previous captured frame

frame.time_delta <= 0.0001

frame.time_delta_displayed

Time delta from previous displayed frame

frame.number

Frame Number

frame.nubmer == 100

frame.len

Frame length on the wire

frame.len <= 60

frame.cap_len

Frame length stored into the capture file

frame.cap_len <= 60

frame.marked

Frame is marked in the GUI

frame.marked == 0，False

frame.ignored

Frame is ignored by the dissectors

frame.ignored == 0，False

frame.protocols

Protocols carried by this frame

frame.protocols == "eth:ethertype:arp"
frame.protocols == "eth:ethertype:ip:tcp"
frame.protocols == "eth:ethertype:ip:tcp:data"
frame.protocols == "eth:ethertype:ip:udp:data"

frame.coloring_rule.name

The frame matched the coloring rule with this name

frame.coloring_rule.name == "ARP"
frame.coloring_rule.name == "TCP"
frame.coloring_rule.name == "UDP"

frame.coloring_rule.string

The frame matched this coloring rule string

frame.coloring_rule.string == "arp"
frame.coloring_rule.string == "tcp"
frame.coloring_rule.string == "udp"

frame.packet_flags

Packet flags

frame.packet_flags
frame.packet_flags_crc_error
frame.packet_flags_packet_too_error
frame.packet_flags_packet_too_short_error

Ethernet II

eth

Ethernet

eth

eth.addr

Source or Destination Hardware Address

eth.addr == 01:00:2b:63:b3:32

eth.dst

Destination Hardware Address

eth.dst == 01:00:2b:63:b3:32

eth.dst.lg

Specifies if this is an locally administered or globally unique(IEEE assigned) address

eth.dst.lg == 0，Globally unique address(factory default)
eth.dst.lg == 1，Locally administered address(this is NOT the factory default)

eth.dst.ig

Specifies if this is an individual(unicast) or group (broadcast/multicast) address

eth.dst.ig == 0，单播
eth.dst.ig == 1，组播

eth.src

Source Hardware Address

eth.src == 01:00:2b:63:b3:32

eth.src.lg

Specifies if this is an locally administered or globally unique(IEEE assigned) address

eth.src.lg == 0，Globally unique address(factory default)
eth.src.lg == 1，Locally administered address(this is NOT the factory default)

est.src.ig

Specifies if this is an individual(unicast) or group (broadcast/multicast) address

eth.src.ig == 0，单播
eth.src.ig == 1，组播

eth.type

Type

eth.type == 0x0800，IPv4

eth.fcs

Frame check sequence

eth.fcs.status

FCS Status

eth.fcs_bad

Bad checksum

eth.len

Length

eth.padding

Padding

eth.padding

eth.trailer

Trailer

eth.trailer

ARP

arp

Address Resolution Protocol

arp

arp.hw.type

Hardware type

arp.hw.type == 1，Ethernet

arp.proto.type

Protocol type

arp.proto.type == 0x0800，IPv4

arp.hw.size

Hardware size

arp.hw.size == 6

arp.proto.size

Protocol size

arp.proto.size == 4

arp.opcode

Opcode

arp.opcode == 1，request

arp.isgratuitous

Is gratuitous

arp.isgratuitous == 1，True
arp.isgratuitous == 0，False

arp.src.hw_mac

Sender MAC address

arp.src.hw_mac == 01:00:2c:65:b2:32

arp.src.proto_ipv4

Sender IP address

arp.src.proto_ipv4 == 10.1.1.1

arp.dst.hw_mac

Target MAC address

arp.dst.hw_mac == 01:00:2c:65:b2:32

arp.dst.proto_ipv4

Target IP address

arp.dst.proto_ipv4 == 10.1.1.1

arp.duplicate-address-detected

Duplicate IP address configured

arp.duplicate-address-frame

Frame showing earlier use of IP address

arp.packet-storm-detected

ARP packet storm detected

IPv4

ip

Internet Protocol Version 4

ip

ip.version

Version

ip.version == 4

ip.hdr_len

Header Length

ip.hdr_len == 20

ip.dsfield

Differentiated Services Field

ip.dsfield == 0x00

ip.dsfield.dscp

Differentiated Services Codepoint

ip.dsfield.dscp == 0

ip.dsfield.ecn

Explicit Congestion Notification

ip.dsfield.ecn == 0

ip.len

Total Length

ip.len <= 60

ip.id

Identification

ip.id == 0x0000

ip.flags

Flags

ip.flags == 0x4000，Don't fragment

ip.flags.rb

Reserved bit

ip.flags.rb == 0，Not set

ip.flags.df

Don't fragment
    
ip.flags.df == 1

ip.flags.mf

More fragments

ip.flags.mf == 0，Not set

ip.frag_offset

Fragment offset

ip.frag_offset == 0

ip.ttl

Time to live

ip.ttl <= 60

ip.proto

Protocol

ip.proto == 6，TCP
ip.proto == 17，UDP

ip.checksum

Header checksum

ip.checksum == 0xef15

ip.src

Source

ip.src == 10.1.1.1

ip.dst

Destination

ip.dst == 10.1.1.1

ip.fragment

ip.fragment · IPv4 Fragment
ip.fragment.count · Fragment
ip.fragment.error · Defragmentation error

ip.fragments

IPv4 Fragments

ip.opt

ip.opt.addr · IP Address
ip.opt.flag · Flag
ip.opt.id_number · ID Number
ip.opt.len · Length
ip.opt.mtu · MTU
ip.opt.padding · Padding
ip.opt.sid · Stream Identifier
ip.opt.type · Type

ip.reassembled

ip.reassembled.data · Reassembled IPv4 data
ip.reassembled.length · Reassembled IPv4 length
ip.reassembled_in · Reassembled IPv4 in frame

TCP

tcp

Transmission Control Protocol

tcp

tcp.srcport

Source Port

tcp.srcport == 62315

tcp.dstport

Destination Port

tcp.dstport == 443

tcp.stream

Stream index

tcp.stream == 0

tcp.len

TCP Segment Len

tcp.len == 29

tcp.seq

Sequence number

tcp.seq == 95672

tcp.seq_raw

The raw value of the sequence number

tcp.seq_raw == 1696880154

tcp.nxtseq

Next sequence number

tcp.nxtseq == 95701

tcp.ack

Acknowledgment number

tcp.ack == 3040

tcp.ack_raw

The raw value of the acknowledgment number

tcp.ack_raw == 1784144095

tcp.ack.nonzero

The acknowledgment number field is nonzero while the ACK flag is not set

tcp.hdr_len

Header Length

tcp.hdr_len == 20

tcp.flags

Flags

tcp.flags == 0x010

tcp.flags.res

Three reserved bits(must be zero)

tcp.flags.res == 0，Not set

tcp.flags.ns

ECN concealment protection(RFC 3540)
    
tcp.flags.ns == 0，Not set

tcp.flags.cwr

Congestion Window Reduced(CWR)
    
tcp.flags.cwr == 0，Not set

tcp.flags.ecn

ECN-Echo

tcp.flags.ecn == 0，Not set

tcp.flags.urg

Urgent

tcp.flags.urg == 0，Not set

tcp.flags.ack

Ackonwledgment

tcp.flags.ack == 1，Set

tcp.flags.push

Push

tcp.flags.push == 0，Not set

tcp.flags.reset

Reset

tcp.flags.reset == 0，Not set

tcp.flags.syn

Syn

tcp.flags.syn == 0，Not set

tcp.flags.fin

Fin

tcp.flags.fin == 0，Not set

tcp.flags.str

TCP Flags

tcp.flags.str == "\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7"，ACK

tcp.window_size_value

The window size value from the TCP header

tcp.window_size_value == 32709

tcp.window_size

The scaled window size(if scaling has been used)
    
tcp.window_size == 32709

tcp.window_size_scalefactor

The window size scaling factor(-1 when unknown,-2 when no scaling is used)
    
tcp.window_size_scalefactor == -1，unknown
tcp.window_size_scalefactor == -2，no window scaling used
tcp.window_size_scalefactor == 256

tcp.checksum

TCP checksum

tcp.checksum == 0x3305

tcp.checksum.status

Checksum Status

tcp.checksum.status == "Unverified"

tcp.checksum_bad.expert

Bad checksum

tcp.urgent_pointer

Urgent pointer

tcp.urgent_pointer == 0

tcp.analysis

This frame has sone of the TCP analysis shown

tcp.analysis

tcp.analysis.ack_lost_segment

ACKed segment that wasn't captured(common at capture start)

tcp.analysis.ack_rtt

The RTT to ACK the segment was

tcp.analysis.ack_rtt == 0.0001

tcp.analysis.acks_frame

This is an ACK to the segment in frame

tcp.analysis.acks_frame == 100

tcp.analysis.bytes_in_flight

How many bytes are now in flight for this connection

tcp.analysis.bytes_in_flight == 12

tcp.analysis.duplicate_ack

Duplicate ACK

tcp.analysis.duplicate_ack_frame

Duplicate to the ACK in frame

tcp.analysis.duplicate_ack_frame == 114

tcp.analysis.duplicate_ack_num

Duplicate ACK #

tcp.analysis.duplicate_ack_num == 1

tcp.analysis.fast_retransmission

This frame is a (suspected) fast retransmission

tcp.analysis.flags

TCP Analysis Flags

tcp.analysis.initial_rtt

iRTT

tcp.analysis.initial_rtt <= 0.020000

tcp.analysis.keep_alive

TCP keep-alive segment

tcp.analysis.keep_alive_ack

ACK to a TCP keep-alive segment

tcp.analysis.lost_segment

Previous segment(s) not captured (common at capture start)

tcp.analysis.out_of_order

This frame is a (suspected) out_of_order segment

tcp.analysis.push_bytes_sent

How many bytes have been sent since the last PSH flag

tcp.analysis.push_bytes_sent == 12

tcp.analysis.retransmission

This frame is a (suspected) retransmission

tcp.analysis.reused_ports

A new tcp session is started with the same ports as an earlier session in this trace

tcp.analysis.rto

The RTO for this segment was

tcp.analysis.rto <= 1

tcp.analysis.rto_frame

RTO based on delta from frame

tcp.analysis.rto_frame == 100

tcp.analysis.spurious_retransmission

This frame is a (suspected) spurious retransmission

tcp.analysis.tfo_syn

TCP SYN with TFO Cookie

tcp.analysis.window_full

TCP window specified by the receiver is now completely full

tcp.analysis.window_update

TCP window update

tcp.analysis.zero_window

TCP Zero Window segment

tcp.analysis.zero_window_probe

TCP Zero Window Probe

tcp.analysis.zero_window_probe_ack

ACK to a TCP Zero Window Probe

tcp.connection.fin

Connection finish(FIN)

tcp.connection.rst

Connection reset(RST)

tcp.connection.sack

Connection establish acknowledge(SYN+ACK)

tcp.connection.syn

Connection establish request(SYN)

tcp.fin_retransmission

Retransmission of FIN from frame

tcp.option.len.invalid

Invalid length for option

tcp.option_len

Length

tcp.options

TCP Options

tcp.options

tcp.options.echo_value

TCP Echo Option

tcp.options.mss.absent

The SYN packet does not contain a MSS option

tcp.options.mss.present

The non-SYN packet does contain a MSS option

tcp.options.sack.count

TCP SACK Count

tcp.options.sack_le

TCP SACK Left Edge

tcp.options.sack_re

TCP SACK Right Edge

tcp.options.tfo

TCP Fast Open

tcp.options.tfo.cookie

Fast Open Cookie

tcp.options.tfo.request

Fast Open Cookie Request

tcp.options.md5

TCP MD5 signature

tcp.time_relative

Time relative to first frame in this TCP stream

tcp.time_delta

Time delta from previous frame in this TCP stream

tcp.payload

The TCP payload of this packet

tcp.pdu.last_frame

Last frame of this PDU

tcp.pdu.size

PDU Size

tcp.pdu.time

Time until the last segment of this PDU

tcp.reassembled.data

Reassembled TCP Data

tcp.reassembled.length

Reassembled TCP length

tcp.reassembled_in

Reassembled PDU in frame

tcp.reset_cause

Reset cause

tcp.segment

TCP segment

tcp.segment

tcp.segment.count

Segment count

tcp.segment.error

Reassembling error

tcp.segment_data

TCP segment data

tcp.segments

Reassembled TCP segments

data

Data

data

UDP

udp

User Datagram Protocol

udp

udp.srcport

Source Port

udp.srcport == 53354

udp.dstport

Destination Port

udp.dstport == 22313

udp.length

Length

udp.length == 16

udp.checksum

UDP Checksum

udp.checksum == 0xb4c0

udp.checksum.status

Checksum Status

udp.checksum.status == "Unverified"

udp.checksum.bad

Bad checksum

udp.stream

Stream index

udp.stream == 34

udp.time_relative

Time relative to first frame in this UDP stream

udp.time_delta

Time delta from previous frame in this UDP stream

udp.pdu.size

PDU Size

data

Data

data

HTTP

http

Hypertext Transfer Protocol

http

http.request.method

HTTP Request Method

http.request.method == "POST"

http.request.uri

HTTP Request-URI

http.request.uri == "/www/api/xxx"

http.request.version

HTTP Request HTTP-Version

http.request.version == "HTTP/1.1"

http.host

HTTP host

http.host == "www.baidu.com"

http.connection

HTTP Connection

http.connection == "keep-alive"

http.content_lenth_header

HTTP Content-Length header

http.content_length_header == "144"

http.user_agent

HTTP User-Agent header

http.user_agent == "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"

http.content_type

HTTP Content-Type

http.content_type == "application/x-www-form-urlencoded; charset=utf-8"

http.accept

HTTP Accept

http.accept == "*/*"

http.accept_encoding

HTTP Accept Encoding

http.accept_encoding == "gzip, deflate"

http.accept_language

HTTP Accept Language

http.accept_language == "zh-CN,zh;q=0.9"

http.request.full_uri

The full requested URI(including host name)

http.request.full_uri == "https://www.baidu.com/xxx/xxx"

http.response.version

HTTP Response HTTP-Version

http.response.version == "HTTP/1.1"

http.response.code

HTTP Response Status Code

http.response.code == 200

http.server

HTTP Server

http.server == "nginx" 

http.time

Time since the request was sent

http.time >= 0.05

DNS

dns

Domain Name System

dns

dns.id

Identification of transaction

dns.id == 0xc4e1

dns.flags

Flags

dns.flags == 0x0100

dns.flags.response

Is the message a response?

dns.flags.response == 0

dns.count.queries

Number of queries in packet

dns.count.queries == 1

dns.qry.name

Query Name

dns.qry.name == "www.baidu.com"

dns.qry.type

Query Type

dns.qry.type == 1

dns.count.answers

Number of answers in packet

dns.count.answers == 2

dns.resp.name

Response Name

dns.resp.name == "www.baidu.com"

dns.resp.type

Response Type

dns.resp.type == 5

dns.resp.ttl

Response TTL

dns.resp.ttl == 993

dns.resp.len

Response Length

dns.resp.len == 22

dns.cname

Response Primary Name

dns.cname == "www.a.shifen.com"

dns.a

Response Address

dns.a == 180.101.49.11

dns.time

The time between the Query and the Response

dns.time >= 0.005

---

感谢阅读，更多技术文章可关注个人公众号：Echo Reply ，谢谢。