Wireshark/Tshark Capture Filters and Display Filters

user-pic
Vote 0 Votes

Wireshark 有兩種 Filters, Capture Filters and Display Filters
Capture Filters 在抓封包時就進行過濾, 使存下來的封包量不會太多,
通常用在流量大的環境下(每秒幾百Mbps甚至幾Gbps),只抓我們要的封包
Display Filters 是顯示過濾, 這個比較常用, 封包量不是很大通常是全抓再來用 Display Filters 看
Capture Filters 跟 Display Filters 的語法是不太一樣的,
Capture Filters 語法跟 tcpdump 相同 (man tcpdump),
Display Filters 語法是 Wireshark 自己的語法 (man wireshark-filter)

以幾個常用範例說明兩種 Filters 的差別

表示法相同的範例
只抓 ARP 封包
Capture Filter: arp
Display Filter: arp

只抓 IP 封包
Capture Filter: ip
Display Filter: ip

只抓 TCP 封包
Capture Filter: tcp
Display Filter: tcp

只抓 UDP 封包
Capture Filter: udp
Display Filter: udp

只抓 ICMP 封包
Capture Filter: icmp
Display Filter: icmp

表示法不同的範例
特定 IP 的封包
Capture Filter: host 192.168.1.1
Display Filter: ip.addr==192.168.1.1

特定網段的封包
Capture Filter: net 192.168.0.0/24
Display Filter: ip.addr==192.168.0.0/24

TCP Port 80 封包
Capture Filter: tcp port 80
Display Filter: tcp.port==80

UDP Port 53 封包
Capture Filter: tcp port 80
Display Filter: udp.port==80

Destination TCP Port 25 封包
Capture Filter: tcp dst port 25
Display Filter: tcp.dstport==25

Logical expressions 邏輯表示
Capture Filter: and, or, not
Display Filter: and, &&, or, ||, not, !

Comparison operators 比較運算
Capture Filter: ==, !=, >, <, >=, <=
Display Filter: eq, ==, ne, !=, gt, >, lt, <, ge, >=, le, <=

特定主機及 Port 80
Capture Filter: host 192.168.1.1 and port 80
Display Filter: ip.addr==192.168.1.1&&tcp.port==80

Display Filters 有更大的彈性, 可以拆解封包用更祥細的條件過濾
例如只顯示 HTTP POST 封包
http.request.method == "POST"
祥細的欄位資料, 可參考 Wireshark - Display Filter Reference

About this Entry

This page contains a single entry by Pank published on May 18, 2015 4:47 PM.

Netcore/Netis Router Backdoor was the previous entry in this blog.

Linux Enable Autofsck is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives