Filtering packets while capturing
---------------------------------
Capture Filters are used to filter out uninteresting packets already at capture time. This is done to reduce the size of the resulting capture (file) and is especially useful on high traffic networks or for long term capturing.
Wireshark uses the pcap (libpcap/WinPcap) filter language for capture filters. This language is explained in the tcpdump man page under "expression" (http://www.tcpdump.org and search for "selects which").
Note: This capture filter language is different from the one used for the Wireshark display filters!
-------------------------------------------------
Some common examples
--------------------
Example Ethernet: capture all traffic to and from the Ethernet address 08:00:08:15:ca:fe
ether host 08:00:08:15:ca:fe
Example IP: capture all traffic to and from the IP address 192.168.0.10
host 192.168.0.10
Example TCP: capture all traffic to and from the TCP port 80 (http) of all machines
tcp port 80
Examples combined: capture all traffic to and from 192.168.0.10 except http
host 192.168.0.10 and not tcp port 80
Beware: if you capture TCP/IP traffic with the primitives "host" or "port", you will not see the ARP traffic belonging to it!
-------------------------------------------------
Capture Filter Syntax
---------------------
The following is a short description of the capture filter language syntax. For a further reference, have a look at: http://www.tcpdump.org/tcpdump_man.html
A capture filter takes the form of a series of primitive expressions, connected by conjunctions (and/or) and optionally preceeded by not:
[not] primitive [and|or [not] primitive ...]
A primitive is simply one of the following:
[src|dst] host <host>
This primitive allows you to filter on a host IP address or name. You can optionally preceed the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected.
ether [src|dst] host <ehost>
This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst between the keywords ether and host to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears in either the source or destination address will be selected.
gateway host <host>
This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host.
[src|dst] net <net> [{mask <mask>}|{len <len>}]
This primitive allows you to filter on network numbers. You can optionally preceed this primitive with the keyword src|dst to specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that have the specified network in either the source or destination address. In addition, you can specify either the netmask or the CIDR (Classless Inter-Domain Routing) prefix for the network if they are different from your own.
[tcp|udp] [src|dst] port <port>
This primitive allows you to filter on TCP and UDP port numbers. You can optionally preceed this primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The keywords tcp|udp must appear before src|dst.
If these are not specified, packets will be selected for both the TCP and UDP protocols and when the specified address appears in either the source or destination port field.
less|greater <length>
This primitive allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal to the specified length, respectively.
ip|ether proto <protocol>
This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer.
ether|ip broadcast|multicast
This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts.
<expr> relop <expr>
This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. Please see the tcpdump man pages for more details.
分享到:
相关推荐
wireshark-filter - The Wireshark Network Analyzer 2.4.1 1
标题中的"wireshark_filter_process_name.7z"暗示了这个压缩包可能包含了一个针对Wireshark的自定义过滤器,专注于处理与进程名称相关的网络数据。描述中的“简易进程过滤器”意味着这个过滤器简化了查看与特定进程...
TCP RST problem Wireshark packet capture
中职网络安全2021年国赛Wireshark流量分析题目+capture.pcapng数据包文件
保存wireshark抓包的数据为txt文本,然后更改cpp文件中的文件路劲并运行
It also includes Wireshark capture files so that you can practice what you’ve learned in the book. You will understand the normal operation of E-mail protocols and learn how to use Wireshark for ...
Use Wireshark to capture packets in your network Filter captured traffic to only show what you need Explore useful statistic displays to make it easier to diagnose issues Customize Wireshark to your ...
在 Wireshark 的 Filter 栏中输入 "udp.port eq 6072",然后按回车键,这样我们就可以过滤出给定端口下的数据。 Step 4: 分析 RTP 流 选择 Telephony 菜单下的 RTP 选项,然后点击 Stream Analysis 按钮。等待一段...
Wireshark-GM-Wireshark 是一个专为中国用户定制的Wireshark版本,它集成了许多方便国内用户的功能和优化。Wireshark是一款全球知名的网络封包分析软件,广泛用于网络故障排查、性能分析以及网络安全检测。在这个...
打开 Wireshark,开始截获报文,我们只需截获与此实验相关内容报文,将 Wireshark 的 Capture Filter 设置为 No Broadcast and no Multicast。然后,打开 Wireshark,加载实训文件夹中的 ip-ethereal-trace-1 文件并...
3. 点击 [capture]——[interfaces],打开捕捉接口对话框,浏览可用的本地网络接口选择需要进行捕捉的接口启动捕捉 4. 点击 [Start],打开主窗口界面 5. 连接 Internet,输入用户名和密码登陆到自己的邮箱 6. 在 ...
1. **Display Filter(显示过滤器)**:用户可以输入特定的过滤表达式,筛选出需要关注的数据包。这有助于在大量捕获记录中快速定位目标信息。 2. **Packet List Pane(封包列表)**:列出所有捕获的数据包,包括源...
在这个“wireshark_winpcap_filter_learning.zip”压缩包中,包含了一份关于WinPCap过滤器和Wireshark过滤表达式的教程,旨在帮助用户深入理解如何高效地使用这两款工具。 `winPcap.chm`是WinPCap的帮助文档,它...
Wireshark手机抓包详解 Wireshark是一款功能强大的网络协议分析工具,广泛应用于网络故障诊断、网络安全测试、网络流量监控等领域。在这里,我们将详细介绍如何使用Wireshark进行手机抓包,掌握这项技能可以帮助您...
Wireshark是一款强大的网络封包分析软件,常用于网络故障排查、网络安全分析和协议学习。在本场景中,我们关注的是使用Wireshark抓取和分析MQTT(Message Queuing Telemetry Transport)协议的数据包。MQTT是一种轻...
4. 读取配置文件:包括读取capture filter和display filter文件,分别保存在capture_filter和display_filter全局变量中。 5. 读取disabled protocols文件:保存全局变量global_disabled_protos和disabled_protos中。...
0.1 Wireshark协议分析从入门到精通课程介绍.mp4 1.1.1 Wireshark安装入门之软件介绍.mp4 1.1.2 Wireshark安装入门之抓包原理.mp4 1.1.3 WireShark安装入门之初始安装.mp4 1.1.4 WireShark安装入门之快速抓包.mp4 ...
Wireshark is the world's foremost network protocol analyzer, with a rich feature set that includes deep inspection of hundreds of protocols, live capture, offline analysis and many other features....