`

wireshark display filter usage

 
阅读更多

Filtering packets while viewing

-------------------------------

After capturing packets or loading some network traffic from a file, Wireshark will display the packet data immediately on the screen.

 

Using display filters, you can choose which packets should (not) be shown on the screen. This is useful to reduce the "noise" usually on the network, showing only the packets you want to. So you can concentrate on the things you are really interested in. 

 

The display filter will not affect the data captured, it will only select which packets of the captured data are displayed on the screen.

 

Everytime you change the filter string, all packets will be reread from the capture file (or from memory), and processed by the display filter "machine". Packet by packet, this "machine" is asked, if this particular packet should be shown or not.

 

Wireshark offers a very powerful display filter language for this. It can be used for a wide range of purposes, from simply: "show only packets from a specific IP address", or on the other hand, to very complex filters like: "find all packets where a special application specific flag is set".

 

Note: This display filter language is different from the one used for the Wireshark capture filters!

 

-------------------------------------------------

 

Some common examples

--------------------

Example Ethernet: display all traffic to and from the Ethernet address 08.00.08.15.ca.fe

 

eth.addr==08.00.08.15.ca.fe

 

Example IP: display all traffic to and from the IP address 192.168.0.10

 

ip.addr==192.168.0.10

 

Example TCP: display all traffic to and from the TCP port 80 (http) of all machines

 

tcp.port==80

 

Examples combined: display all traffic to and from 192.168.0.10 except http

 

ip.addr==192.168.0.10 && tcp.port!=80

 

Beware: The filter string builds a logical expression, which must be true to show the packet. The && is a "logical and", "A && B" means: A must be true AND B must be true to show the packet (it doesn't mean: A will be shown AND B will be shown). 

 

-------------------------------------------------

 

Hint

----

Filtering can lead to side effects, which are sometimes not obvious at first sight. Example: If you capture TCP/IP traffic with the primitive "ip", you will not see the ARP traffic belonging to it, as this is a lower protocol layer than IP!


分享到:
评论

相关推荐

    wireshark-filter - The Wireshark Network Analyzer 2.4.1

    wireshark-filter - The Wireshark Network Analyzer 2.4.1 1

    wireshark_filter_process_name.7z

    2. **显示过滤器(Display Filters)**:这些是在数据包捕获完成后,用于筛选显示在Wireshark界面中的数据包。对于进程过滤,可能需要一个可以根据进程ID或进程名称识别数据包的自定义过滤器。 3. **进程解析**:在...

    wireshark-gm-wireshark

    Wireshark-GM-Wireshark 是一个专为中国用户定制的Wireshark版本,它集成了许多方便国内用户的功能和优化。Wireshark是一款全球知名的网络封包分析软件,广泛用于网络故障排查、性能分析以及网络安全检测。在这个...

    wireshark分析RTP丢包率

    在 Wireshark 的 Filter 栏中输入 "udp.port eq 6072",然后按回车键,这样我们就可以过滤出给定端口下的数据。 Step 4: 分析 RTP 流 选择 Telephony 菜单下的 RTP 选项,然后点击 Stream Analysis 按钮。等待一段...

    wireshark_winpcap_filter_learning.zip_winpcap filter_wireshark

    在这个“wireshark_winpcap_filter_learning.zip”压缩包中,包含了一份关于WinPCap过滤器和Wireshark过滤表达式的教程,旨在帮助用户深入理解如何高效地使用这两款工具。 `winPcap.chm`是WinPCap的帮助文档,它...

    Mastering Wireshark 2 pdf

    As you progress through the chapters, you will discover different ways to create, use, capture, and display filters. By halfway through the book, you will have mastered Wireshark features, analyzed ...

    Wireshark实验讲义.doc

    Wireshark 的主界面分为几个部分,包括 Display Filter、Packet List Pane 和 Packet Details Pane。Packet List Pane 显示捕获到的分组,有序号列、时间列、源地址列和目标地址列、协议列、分组长度列及相关信息列...

    WireShark使用教程.pdf

    1. **Display Filter(显示过滤器)**:用户可以输入特定的过滤表达式,筛选出需要关注的数据包。这有助于在大量捕获记录中快速定位目标信息。 2. **Packet List Pane(封包列表)**:列出所有捕获的数据包,包括源...

    wireshark

    wireshark

    Wireshark从入门到精通视频.zip

    0.1 Wireshark协议分析从入门到精通课程介绍.mp4 1.1.1 Wireshark安装入门之软件介绍.mp4 1.1.2 Wireshark安装入门之抓包原理.mp4 1.1.3 WireShark安装入门之初始安装.mp4 1.1.4 WireShark安装入门之快速抓包.mp4 ...

    国密SSL的wireshark解析脚本gmssl-wireshark-main.zip

    《深入理解国密SSL与Wireshark解析脚本——gmssl_wireshark-main.zip详解》 国密SSL,全称为“国家商用密码SSL”,是中国自主研发的网络安全协议,旨在保护国内互联网通信的安全性和隐私性。它基于国际SSL/TLS协议...

    wireshark2.0版本抓包工具

    Wireshark拥有许多强大的特性:包含有强显示过滤器语言(rich display filter language)和查看TCP会话重构流的能力;它更支持上百种协议和媒体类型; 拥有一个类似tcpdump(一个Linux下的网络协议分析工具)的名为...

    Wireshark学习笔记

    4. 读取配置文件:包括读取capture filter和display filter文件,分别保存在capture_filter和display_filter全局变量中。 5. 读取disabled protocols文件:保存全局变量global_disabled_protos和disabled_protos中。...

    wireshark 包解析插件

    该资源为用脚本编写的适用于wireshark的一个新的协议。即当wireshark不能及时解析一些新的协议时,可以自己动手根据新协议字段编写解析文件。有新协议的话可以基于此脚本改写. 使用方法: 1. 打开wireshark根目录中...

    wireshark-4.2.0源代码

    3. **过滤语言( display filters)**:Wireshark支持一种强大的过滤语言,允许用户根据需要快速筛选数据包。源代码中会包含这些过滤规则的解析和执行机制。 4. **协议开发套件(PDK)**:Wireshark提供了PDK,让...

    wireshark MQTT协议抓取

    Wireshark是一款强大的网络封包分析软件,常用于网络故障排查、网络安全分析和协议学习。在本场景中,我们关注的是使用Wireshark抓取和分析MQTT(Message Queuing Telemetry Transport)协议的数据包。MQTT是一种轻...

    wireshark-3.0.2.tar.gz

    Wireshark是一款强大的网络封包分析软件,常用于网络故障排查、网络安全分析和协议开发等场景。标题中的"wireshark-3.0.2.tar.gz"表明我们要讨论的是Wireshark的3.0.2版本,这是一个源码压缩包,通常需要编译安装。...

    wireshark中文破解版

    wireshark中文破解版,wireshark中文破解版,wireshark中文破解版,亲测好用

Global site tag (gtag.js) - Google Analytics