wireshake 用法小结
wireshark过滤基本命令?
一、IP过滤:
ip.src==192.168.22.143
ip.dst==192.168.22.124
?
二、端口过滤:
tcp.port==514 or udp.port == 514
tcp.port >= 1 and tcp.port <= 80
?
三、协议过滤:
tcp udp arp icmp http smtp ftp dns msnms ip ssl 等等?
排除ssl: !ssl 或者 not ssl?
?
四、包长度过滤:?
udp.length == 26 这个长度是指udp本身固定长度8加上udp下面那块数据包之和?
tcp.len >= 7 指的是ip数据包(tcp下面那块数据),不包括tcp本身?
ip.len == 94 除了以太网头固定长度14,其它都算是ip.len,即从ip本身到最后?
frame.len == 119 整个数据包长度,从eth开始到最后?
?
五、http模式过滤:?
http.request.method == “GET”?
http.request.method == “POST”?
http.request.uri == “/img/logo-edu.gif”
http contains “GET” http contains “HTTP/1.”?
// GET包
http.request.method == “GET” && http contains “Host: ” http.request.method == “GET” && http contains “User-Agent: ”?
// POST包?
http.request.method == “POST” && http contains “Host: ” http.request.method == “POST” && http contains “User-Agent: ”?
// 响应包?
http contains “HTTP/1.1 200 OK” && http contains “Content-Type: ” http contains “HTTP/1.0 200 OK” && http contains “Content-Type: ” 一定包含如下 Content-Type:?
?
六、连接符 and / or?
?
七、表达式:!(arp.src==192.168.1.1) and !(arp.dst.proto_ipv4==192.168.1.243)?