526互联

wireshark抓包常识与常用命令

发布时间 2023-08-28 10:19:12作者: bulemaple

本文章分wireshark抓包常识,常用命令,实际使用中自己用到的一些命令。

常识

Comparison operators

The comparison operators can be expressed either through English-like abbreviations or through C-like symbols:

eq, ==    Equal
ne, !=    Not Equal
gt, >     Greater Than
lt, <     Less Than
ge, >=    Greater than or Equal to
le, <=    Less than or Equal to

总结:可以使用两种方式来设置表达式。

 

Arithmetic operators

Arithmetic expressions are supported with the usual operators:

+   Addition
-   Subtraction
*   Multiplication
/   Division
%   Modulo (integer remainder)

For example it is possible to filter for UDP destination ports greater or equal by one to the source port with the expression:

udp.dstport >= udp.srcport + 1

It is possible to group arithmetic expressions using curly brackets (parenthesis will not work for this):

tcp.dstport >= 4 * {tcp.srcport + 3}

Do not confuse this usage of curly brackets with set membership.

An unfortunate quirk in the filter syntax is that the subtraction operator must be preceded by a space character, so "A-B" must be written as "A -B" or "A - B".

总结:减号前面留个空格。

 

Logical expressions

Tests can be combined using logical expressions. These too are expressible in C-like syntax or with English-like abbreviations. The following table lists the logical operators from highest to lowest precedence:

not, !    Logical NOT   (right-associative)
and, &&   Logical AND   (left-associative)
or,  ||   Logical OR    (left-associative)

The evaluation is always performed left to right. Expressions can be grouped by parentheses as well. The expression "A and B or not C or D and not E or F" is read:

(A and B) or (not C) or (D and (not E)) or F

It’s usually better to be explicit about grouping using parenthesis. The following are all valid display filter expressions:

tcp.port == 80 and ip.src == 192.168.2.1
not llc
http and frame[100-199] contains "wireshark"
(ipx.src.net == 0xbad && ipx.src.node == 0.0.0.0.0.1) || ip

Remember that whenever a protocol or field name occurs in an expression, the "exists" operator is implicitly called. The "exists" operator has the highest priority. This means that the first filter expression must be read as "show me the packets for which tcp.port exists and equals 80, and ip.src exists and equals 192.168.2.1". The second filter expression means "show me the packets where not exists llc", or in other words "where llc does not exist" and hence will match all packets that do not contain the llc protocol. The third filter expression includes the constraint that offset 199 in the frame exists, in other words the length of the frame is at least 200.

Each comparison has an implicit exists test for any field value. Care must be taken when using the display filter to remove noise from the packet trace. If, for example, you want to filter out all IP multicast packets to address 224.1.2.3, then using:

ip.dst ne 224.1.2.3

may be too restrictive. This is the same as writing:

ip.dst and ip.dst ne 224.1.2.3

The filter selects only frames that have the "ip.dst" field. Any other frames, including all non-IP packets, will not be displayed. To display the non-IP packets as well, you can use one of the following two expressions:

not ip.dst or ip.dst ne 224.1.2.3
not ip.dst eq 224.1.2.3

The first filter uses "not ip.dst" to include all non-IP packets and then lets "ip.dst ne 224.1.2.3" filter out the unwanted IP packets. The second filter also negates the implicit existance test and so is a shorter way to write the first.

 

常用命令

选出需要ip地址

IPv4 addresses can be represented in either dotted decimal notation or by using the hostname:

总结:ip地址表达可以使用两种方式。

ip.src == 192.168.1.1
ip.dst eq www.mit.edu

去掉不要的ip地址

ip.dst ne 224.1.2.3
ip.dst and ip.dst ne 224.1.2.3


等价命令:去掉不要的ip地址。
ip.src ne 192.168.0.17
ip.src and ip.src ne 192.168.0.17
not ip.src eq 192.168.0.17
not ip.src or ip.src ne 192.168.0.17

 

not ip.src eq 192.168.0.17

 

not ip.src or ip.src ne 192.168.0.17

ip.src ne 192.168.0.17过滤的好像是更细腻点。

 

去掉不要的协议

过滤条件后,加上and not icmp,去掉icmp协议。

xxxxxxxx and not icmp

还可以:
not arp
not dns
rtcp and not icmp

测试结果:

 

wireshark过滤实操:

1.含有IP地址:192.168.0.17 且是udp协议,同时端口是6801到6803。

 ip.addr == 192.168.0.17 and udp.dstport>=6801 and udp.dstport<=6803

2.源地址,目的地址,udp端口。

 ip.src == 192.168.90.51 and ip.dst == 192.168.90.85 and udp.port == 60000

3.源地址,目的地址,udp协议

 ip.src == 192.168.90.51 and ip.dst == 192.168.90.85 and udp

4.只过滤ip地址,不分源地址还是目的地址。udp协议

 ip.addr == 192.168.90.51 and udp

5.只过滤ip地址

 ip.addr == 192.168.90.51

 

差不多了,剩下的就是举一反三了。可以多参考Logical expressions小节。

 

参考官方文档:

 file:///D:/Program%20Files/Wireshark/wireshark-filter.html