wireshark抓包常用过滤规则

0.protocol过滤：

tcp
udp
arp
icmp
http
smtp
ftp
dns
msnms
ip
ssl
oicq
bootp
等

1.mac过滤：

eth.dst == A0:00:00:04:C5:84
eth.src eq A0:00:00:04:C5:84
eth.dst==A0:00:00:04:C5:84
eth.dst==A0-00-00-04-C5-84

2.ip过滤：

ip.addr == 10.43.54.65
// 常量的研究两者间的通信
ip.addr== 192.168.8.54 || ip.addr== 112.80.248.74
ip.src == 10.43.54.65 or ip.dst == 10.43.54.65

3.tcp和udp过滤：

tcp.port == 80
tcp.port eq 80 or udp.port eq 80
tcp.port eq 25 or icmp
tcp.port >= 1 and tcp.port <= 80
tcp.window_size == 0 && tcp.flags.reset != 1
udp.length == 26

tcp类型和内容：
tcp[13] & 0×00 = 0: No flags set (null scan)
tcp[13] & 0×01 = 1: FIN set and ACK not set
tcp[13] & 0×03 = 3: SYN set and FIN set
tcp[13] & 0×05 = 5: RST set and FIN set
tcp[13] & 0×06 = 6: SYN set and RST set
tcp[13] & 0×08 = 8: PSH set and ACK not set

    
包长过滤：
udp.length == 26 这个长度是指udp本身固定长度8加上udp下面那块数据包之和
tcp.len >= 7  指的是ip数据包(tcp下面那块数据),不包括tcp本身
ip.len == 94 除了以太网头固定长度14,其它都算是ip.len,即从ip本身到最后
frame.len == 119 整个数据包长度,从eth开始到最后

4.http过滤：

// 常用的域名
http.host == party.syyx.com
http.response.code == 404
http.content_type contains "javascript"
http.request.uri matches "gl=se$"
http.request.method == "GET"
http.request.method == "POST"
http.request.uri == "/img/logo-edu.gif"
http contains "GET"
http contains "HTTP/1."

// GET包
http.request.method == "GET" && http contains "Host: "
http.request.method == "GET" && http contains "User-Agent: "
// POST包
http.request.method == "POST" && http contains "Host: "
http.request.method == "POST" && http contains "User-Agent: "
// 响应包
http contains "HTTP/1.1 200 OK" && http contains "Content-Type: "
http contains "HTTP/1.0 200 OK" && http contains "Content-Type: "
一 定包含如下
Content-Type:

参考文章，更多详细见：

https://wiki.wireshark.org/DisplayFilters
http://www.askapache.com/software/sniff-http-to-debug-apache-htaccess-and-httpdconf.html
https://wiki.wireshark.org/CaptureFilters
http://blog.sina.com.cn/s/blog_48a0f2740100ka71.html
http://blog.jobbole.com/74018/