wireshark-filter帮助手册
一、帮助手册
二、常用filter
1.比对操作符
使用
English-like或C-like symbols
eq, == Equal
ne, != Not Equal
gt, > Greater Than
lt, < Less Than
ge, >= Greater than or Equal to
le, <= Less than or Equal to
2.逻辑表达式
and, && Logical AND
or, || Logical OR
not, ! Logical NOT
3.ip
ip.dst eq www.mit.edu
ip.src == 192.168.1.1
ip.addr == 129.111.0.0/16
ip.addr eq sneezy/24
ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
4.http
http.request.method == "POST"
http.request.method in {"HEAD" "GET"}
5.tcp
tcp.port in {80 443 8080}
tcp.port == 80 or tcp.port == 443 or tcp.port == 8080
tcp.port in {443 4430..4434}
6.物理层
frame.time_delta in {10 .. 10.5}
Frame: 物理层的数据帧概况
Ethernet II: 数据链路层以太网帧头部信息
Internet Protocol Version 4: 互联网层IP包头部信息
Transmission Control Protocol: 传输层T的数据段头部信息,此处是TCP
Hypertext Transfer Protocol: 应用层的信息,此处是HTTP协议
此部分转自:
wireshark怎么抓包、wireshark抓包详细图文教程
9.特殊字符转义
# An embedded " double-quote
browser.comment == "An embedded \" double-quote"
# smb.path 包含 "\\SERVER\SHARE"
smb.path contains "\\\\SERVER\\SHARE"