wireshark-filter帮助手册

wireshark-filter帮助手册

一、帮助手册

二、常用filter

1.比对操作符

使用English-like或C-like symbols

    eq, ==    Equal
    ne, !=    Not Equal
    gt, >     Greater Than
    lt, <     Less Than
    ge, >=    Greater than or Equal to
    le, <=    Less than or Equal to

2.逻辑表达式

    and, &&   Logical AND
    or,  ||   Logical OR
    not, !    Logical NOT

3.ip

    ip.dst eq www.mit.edu
    ip.src == 192.168.1.1
    ip.addr == 129.111.0.0/16
    ip.addr eq sneezy/24
    ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}

4.http

    http.request.method == "POST"
    http.request.method in {"HEAD" "GET"}
    

5.tcp

tcp.port in {80 443 8080}
tcp.port == 80 or tcp.port == 443 or tcp.port == 8080
tcp.port in {443 4430..4434}

6.物理层

frame.time_delta in {10 .. 10.5}

Frame: 物理层的数据帧概况
Ethernet II: 数据链路层以太网帧头部信息
Internet Protocol Version 4: 互联网层IP包头部信息
Transmission Control Protocol: 传输层T的数据段头部信息，此处是TCP
Hypertext Transfer Protocol: 应用层的信息，此处是HTTP协议

此部分转自：
wireshark怎么抓包、wireshark抓包详细图文教程

9.特殊字符转义

 # An embedded " double-quote
 browser.comment == "An embedded \" double-quote"
 # smb.path 包含 "\\SERVER\SHARE"
 smb.path contains "\\\\SERVER\\SHARE"