Wireshark 基础 | 显示过滤篇
Wireshark 基础 | 显示过滤篇
目录
简介
「Wireshark 显示过滤」(display filter),即通过过滤筛选,需要显示哪些特定的数据包。
作用
显示过滤器允许将注意力集中在感兴趣的数据包上,同时隐藏当前不感兴趣的数据包。
允许只显示数据包基于:
● 协议
● 字段是否存在
● 字段值
● 字段间的比较
● …
语言
显示过滤器语言由 Wireshark 自身提供,通过不同的过滤表达式可以能够精确地控制显示哪些数据包。
建议
学习资源详见官方文档,包括 Wiki DisplayFilters 和 Display Filters 语法 。
语法
过滤器表达式
[not] primitive [and|or [not] primitive ...]
过滤器表达式由一个或多个原语组成
[x] x为可选
x|y 选x或y
<x> x为必选
xyz xyz为关键字,必需
and(&&)、or(||)、not(!) 代表与、或、非
原语格式
格式
Protocol[.string1.string2...stringN] [Comparison operator] [Value]
protocol
eth、ip、arp、tcp、udp 等。
支持的协议,View → Internals → Supported Protocols
string
addr、port、flags、flags.syn、len 等。
示例
eth.addr == ff:ff:ff:ff:ff:ff
tcp.port == 80
tcp.flags
tcp.flags.syn == 1
ip.len <= 60
...
comparison operator
eq(==)、ne(!=)、gt(>)、lt(<)、ge(>=)、le(<=)、contains、matches(~)、bitiwise_and(&)
示例
ip.src == 10.0.0.5
ip.src != 10.0.0.5
frame.len > 10
frame.len < 128
frame.len ge 0x100
frame.len <= 0x20
udp contains 81:60:03
http.host matches "ace\.(org|com|net)"
tcp.flags & 0x02
...
!= 注意事项
ip.addr == 1.2.3.4,显示所有包括 IP 地址 1.2.3.4 的数据包
ip.addr != 1.2.3.4,显示所有不包括 IP 地址 1.2.3.4 的数据包?语法错误!对于源或目的 IP 地址为 1.2.3.4 的包,该表达式也适用。因为 ip.addr != 1.2.3.4 表达式被理解为 “the packet contains a field named ip.addr with a value different from 1.2.3.4” 。IP 数据包包含源和目的 IP 地址,当两个地址中至少有一个与 1.2.3.4 不同时,表达式的值将为 true 。
!(ip.addr == 1.2.3.4),显示所有不包括 I P地址 1.2.3.4 的数据包
版本 3.6.0 之后“a != b”已经完全等同于“!(a == b)”。
value
Unsigned integer
可以为 8,16,24,32 或 64 bit 。
十进制、八进制或十六进制表示整数。
示例
ip.len le 1500
ip.len le 02734
ip.len le 0x5dc
Signed integer
可以为8,16,24,32或64 bit。
十进制、八进制或十六进制表示整数。
Boolean
1(真)或 0(假)
无论值是真还是假,布尔值字段都会出现。
譬如 tcp.flags.syn ,syn 存在于所有包含该标志的 TCP 数据包中,无论 syn 标志是 0 还是 1 。
示例
tcp.flags.syn == 1
Ethernet address
6 字节,通过 :,. ,或者 - 分隔。
示例
eth.dst == ff:ff:ff:ff:ff:ff
eth.dst == ff-ff-ff-ff-ff-ff
eth.dst == ffff.ffff.ffff
IPv4 address
示例
ip.addr == 192.168.0.1
ip.addr == 10.1.0.0/16
IPv6 address
示例
ipv6.addr == ::1
ipv6.addr == 2400:640:100:100::/64
Text string
示例
http.request.uri == "https://www.wireshark.org/"
联合表达式
and(&&)
Logical AND
示例
ip.src==10.0.0.1 and tcp.flags.fin
or(||)
Logical OR
示例
ip.scr==10.0.0.1 or ip.src==192.168.1.1
xor(^^)
Logical XOR
示例
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
Wireshark 目前版本实际不支持
not(!)
Logical NOT
示例
not arp
[…]
Subsequence
示例
eth.src[0:3] == 00:00:83
前三个字节以 00:00:83 开始的以太网源 mac 地址
eth.src[1-2] == 00:83
第二到第三个字节为 00:83 的以太网源 mac 地址
eth.src[:4] == 00:00:83:00
前四个字节以 00:00:83:00 开始的以太网源 mac 地址
eth.src[4:] == 20:20
最后两个字节以 20:20 结尾的以太网源 mac 地址
eth.src[2] == 83
第 3 个字节为 83 的以太网源 mac 地址
eth.src[0:3,1-2,:4,4:,2] == 00:00:83:00:83:00:00:83:00:20:20:83
复合范围
● Slice Operator,Wireshark 允许选择序列的子序列,在标签之后可以放置一对方括号 [],其中包含逗号分隔的范围说明符列表。
● 指定单个范围的格式:
n:m,n 是起始偏移量,m 是指定的范围的长度;
n-m,n 是起始偏移量,m 是结束偏移量;
:m,等同于 0:m ,从一个序列的起始偏移 m ;
n:,从偏移量 n 到序列的结尾;
n,等同于 n:1 ,从偏移量 n 开始偏移 1 。
● Wireshark 允许将单个范围串在逗号分隔的列表中,形成复合范围。
in
Set Membership
示例
tcp.port in {80 443 8080}
tcp 源或目的端口为 80、 443 或 8080 的数据包,等同于 tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
tcp.port in {443 4430..4434}
不等同于 tcp.port == 443 || (tcp.port >= 4430 && tcp.port <= 4434)
因为当任意字段匹配过滤器时都满足比较运算符,所以源端口为 56789 ,目的端口为 80 的数据包也会匹配第二个过滤器,因为 56789 >= 4430 && 80 <= 4434为真。
http.request.method in {"HEAD" "GET"}
ip.addr in {10.0.0.1..10.0.0.9 192.168.1.1..192.168.1.9}
frame.time_delta in {0.001 .. 0.002}
...
● Membership Operator,Wireshark 允许测试字段在一组值或字段中的成员关系。在字段名之后,使用 in 操作符,后跟大括号 {} 包围的集合项。
● 当任意字段匹配过滤器时都满足比较运算符。
● 成员资格操作符根据范围条件测试单个字段。
● 集合项不仅限于数字,其他类型也可以使用。
函数
显示过滤器语言有许多转换字段的函数。
upper
将字符串字段转换为大写。
lower
将字符串字段转换为小写。
示例
lower(http.server) contains "apache"
upper 和 lower 函数可以用来强制不区分大小写的匹配
len
返回字符串或字节字段的字节长度。
示例
len(http.request.uri) > 100
查找具有长请求 uri 的 HTTP 请求
len(ip.addr) == 4
len 函数生成的字符串长度是以字节为单位
count
返回在一个帧中出现字段的数目。
示例
count(ip.addr) > 2
通常一个IP帧只有两个地址(源和目的),但是在 ICMP 错误或隧道的情况下,单个数据包可能包含更多的地址。
string
将非字符串字段转换为字符串。
示例
string(frame.number) matches "[13579]$"
匹配奇数帧序号
string(ip.dst) matches "^172\.(1[6-9]|2[0-9]|3[0-1])\..{1,3}\.255"
匹配以 255 结尾的 172.16-172.31 子网里的目的 IP
...
● string 函数将字段值转换为字符串,适用于操作符“matches”或“contains”。
● 整数字段被转换为十进制表示。
● 可以用于 IP/以太网地址(以及其他地址),但不能用于字符串或字节字段。
表达式
对话框
Fidle name
协议字段树中选择一个协议字段。通过展开协议名,可以获得用于筛选该协议的字段名的列表。
TCP
tcp.ack,Acknowledgment number
tcp.analysis,SEQ/ACK analysis
tcp.checksum,Checksum
tcp.flags,Flags
...
IPv4
ip.addr,Source or Destination address
ip.checksum,Header checksum
ip.dst,Destination
ip.id,Identification
...
…
Relation
从可用关系列表中选择一个关系。
is present,一元关系,数据包中存在所选择字段即为真
==、!=、>、<、>=、<=、contains、matches、in,二元关系,输入一个值,可能还有一些范围信息
Value
在“值”文本框中输入适当的值。该值还将指示选择字段名的值的类型(如字符串)。
Predefined Values
一些协议字段具有预定义值可用。
Search
允许搜索完整或部分字段名称或描述。支持正则表达式。
Range
偏移:长度,一组整数或一组范围。
示例
Frame
frame
Frame
frame
frame.encap_type
Encapsulation type
frame.encap_type == 1,Ethernet
frame.time_delta
Time delta from previous captured frame
frame.time_delta <= 0.0001
frame.time_delta_displayed
Time delta from previous displayed frame
frame.number
Frame Number
frame.nubmer == 100
frame.len
Frame length on the wire
frame.len <= 60
frame.cap_len
Frame length stored into the capture file
frame.cap_len <= 60
frame.marked
Frame is marked in the GUI
frame.marked == 0,False
frame.ignored
Frame is ignored by the dissectors
frame.ignored == 0,False
frame.protocols
Protocols carried by this frame
frame.protocols == "eth:ethertype:arp"
frame.protocols == "eth:ethertype:ip:tcp"
frame.protocols == "eth:ethertype:ip:tcp:data"
frame.protocols == "eth:ethertype:ip:udp:data"
frame.coloring_rule.name
The frame matched the coloring rule with this name
frame.coloring_rule.name == "ARP"
frame.coloring_rule.name == "TCP"
frame.coloring_rule.name == "UDP"
frame.coloring_rule.string
The frame matched this coloring rule string
frame.coloring_rule.string == "arp"
frame.coloring_rule.string == "tcp"
frame.coloring_rule.string == "udp"
frame.packet_flags
Packet flags
frame.packet_flags
frame.packet_flags_crc_error
frame.packet_flags_packet_too_error
frame.packet_flags_packet_too_short_error
Ethernet II
eth
Ethernet
eth
eth.addr
Source or Destination Hardware Address
eth.addr == 01:00:2b:63:b3:32
eth.dst
Destination Hardware Address
eth.dst == 01:00:2b:63:b3:32
eth.dst.lg
Specifies if this is an locally administered or globally unique(IEEE assigned) address
eth.dst.lg == 0,Globally unique address(factory default)
eth.dst.lg == 1,Locally administered address(this is NOT the factory default)
eth.dst.ig
Specifies if this is an individual(unicast) or group (broadcast/multicast) address
eth.dst.ig == 0,单播
eth.dst.ig == 1,组播
eth.src
Source Hardware Address
eth.src == 01:00:2b:63:b3:32
eth.src.lg
Specifies if this is an locally administered or globally unique(IEEE assigned) address
eth.src.lg == 0,Globally unique address(factory default)
eth.src.lg == 1,Locally administered address(this is NOT the factory default)
est.src.ig
Specifies if this is an individual(unicast) or group (broadcast/multicast) address
eth.src.ig == 0,单播
eth.src.ig == 1,组播
eth.type
Type
eth.type == 0x0800,IPv4
eth.fcs
Frame check sequence
eth.fcs.status
FCS Status
eth.fcs_bad
Bad checksum
eth.len
Length
eth.padding
Padding
eth.padding
eth.trailer
Trailer
eth.trailer
ARP
arp
Address Resolution Protocol
arp
arp.hw.type
Hardware type
arp.hw.type == 1,Ethernet
arp.proto.type
Protocol type
arp.proto.type == 0x0800,IPv4
arp.hw.size
Hardware size
arp.hw.size == 6
arp.proto.size
Protocol size
arp.proto.size == 4
arp.opcode
Opcode
arp.opcode == 1,request
arp.isgratuitous
Is gratuitous
arp.isgratuitous == 1,True
arp.isgratuitous == 0,False
arp.src.hw_mac
Sender MAC address
arp.src.hw_mac == 01:00:2c:65:b2:32
arp.src.proto_ipv4
Sender IP address
arp.src.proto_ipv4 == 10.1.1.1
arp.dst.hw_mac
Target MAC address
arp.dst.hw_mac == 01:00:2c:65:b2:32
arp.dst.proto_ipv4
Target IP address
arp.dst.proto_ipv4 == 10.1.1.1
arp.duplicate-address-detected
Duplicate IP address configured
arp.duplicate-address-frame
Frame showing earlier use of IP address
arp.packet-storm-detected
ARP packet storm detected
IPv4
ip
Internet Protocol Version 4
ip
ip.version
Version
ip.version == 4
ip.hdr_len
Header Length
ip.hdr_len == 20
ip.dsfield
Differentiated Services Field
ip.dsfield == 0x00
ip.dsfield.dscp
Differentiated Services Codepoint
ip.dsfield.dscp == 0
ip.dsfield.ecn
Explicit Congestion Notification
ip.dsfield.ecn == 0
ip.len
Total Length
ip.len <= 60
ip.id
Identification
ip.id == 0x0000
ip.flags
Flags
ip.flags == 0x4000,Don't fragment
ip.flags.rb
Reserved bit
ip.flags.rb == 0,Not set
ip.flags.df
Don't fragment
ip.flags.df == 1
ip.flags.mf
More fragments
ip.flags.mf == 0,Not set
ip.frag_offset
Fragment offset
ip.frag_offset == 0
ip.ttl
Time to live
ip.ttl <= 60
ip.proto
Protocol
ip.proto == 6,TCP
ip.proto == 17,UDP
ip.checksum
Header checksum
ip.checksum == 0xef15
ip.src
Source
ip.src == 10.1.1.1
ip.dst
Destination
ip.dst == 10.1.1.1
ip.fragment
ip.fragment · IPv4 Fragment
ip.fragment.count · Fragment
ip.fragment.error · Defragmentation error
ip.fragments
IPv4 Fragments
ip.opt
ip.opt.addr · IP Address
ip.opt.flag · Flag
ip.opt.id_number · ID Number
ip.opt.len · Length
ip.opt.mtu · MTU
ip.opt.padding · Padding
ip.opt.sid · Stream Identifier
ip.opt.type · Type
ip.reassembled
ip.reassembled.data · Reassembled IPv4 data
ip.reassembled.length · Reassembled IPv4 length
ip.reassembled_in · Reassembled IPv4 in frame
TCP
tcp
Transmission Control Protocol
tcp
tcp.srcport
Source Port
tcp.srcport == 62315
tcp.dstport
Destination Port
tcp.dstport == 443
tcp.stream
Stream index
tcp.stream == 0
tcp.len
TCP Segment Len
tcp.len == 29
tcp.seq
Sequence number
tcp.seq == 95672
tcp.seq_raw
The raw value of the sequence number
tcp.seq_raw == 1696880154
tcp.nxtseq
Next sequence number
tcp.nxtseq == 95701
tcp.ack
Acknowledgment number
tcp.ack == 3040
tcp.ack_raw
The raw value of the acknowledgment number
tcp.ack_raw == 1784144095
tcp.ack.nonzero
The acknowledgment number field is nonzero while the ACK flag is not set
tcp.hdr_len
Header Length
tcp.hdr_len == 20
tcp.flags
Flags
tcp.flags == 0x010
tcp.flags.res
Three reserved bits(must be zero)
tcp.flags.res == 0,Not set
tcp.flags.ns
ECN concealment protection(RFC 3540)
tcp.flags.ns == 0,Not set
tcp.flags.cwr
Congestion Window Reduced(CWR)
tcp.flags.cwr == 0,Not set
tcp.flags.ecn
ECN-Echo
tcp.flags.ecn == 0,Not set
tcp.flags.urg
Urgent
tcp.flags.urg == 0,Not set
tcp.flags.ack
Ackonwledgment
tcp.flags.ack == 1,Set
tcp.flags.push
Push
tcp.flags.push == 0,Not set
tcp.flags.reset
Reset
tcp.flags.reset == 0,Not set
tcp.flags.syn
Syn
tcp.flags.syn == 0,Not set
tcp.flags.fin
Fin
tcp.flags.fin == 0,Not set
tcp.flags.str
TCP Flags
tcp.flags.str == "\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7A\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7",ACK
tcp.window_size_value
The window size value from the TCP header
tcp.window_size_value == 32709
tcp.window_size
The scaled window size(if scaling has been used)
tcp.window_size == 32709
tcp.window_size_scalefactor
The window size scaling factor(-1 when unknown,-2 when no scaling is used)
tcp.window_size_scalefactor == -1,unknown
tcp.window_size_scalefactor == -2,no window scaling used
tcp.window_size_scalefactor == 256
tcp.checksum
TCP checksum
tcp.checksum == 0x3305
tcp.checksum.status
Checksum Status
tcp.checksum.status == "Unverified"
tcp.checksum_bad.expert
Bad checksum
tcp.urgent_pointer
Urgent pointer
tcp.urgent_pointer == 0
tcp.analysis
This frame has sone of the TCP analysis shown
tcp.analysis
tcp.analysis.ack_lost_segment
ACKed segment that wasn't captured(common at capture start)
tcp.analysis.ack_rtt
The RTT to ACK the segment was
tcp.analysis.ack_rtt == 0.0001
tcp.analysis.acks_frame
This is an ACK to the segment in frame
tcp.analysis.acks_frame == 100
tcp.analysis.bytes_in_flight
How many bytes are now in flight for this connection
tcp.analysis.bytes_in_flight == 12
tcp.analysis.duplicate_ack
Duplicate ACK
tcp.analysis.duplicate_ack_frame
Duplicate to the ACK in frame
tcp.analysis.duplicate_ack_frame == 114
tcp.analysis.duplicate_ack_num
Duplicate ACK #
tcp.analysis.duplicate_ack_num == 1
tcp.analysis.fast_retransmission
This frame is a (suspected) fast retransmission
tcp.analysis.flags
TCP Analysis Flags
tcp.analysis.initial_rtt
iRTT
tcp.analysis.initial_rtt <= 0.020000
tcp.analysis.keep_alive
TCP keep-alive segment
tcp.analysis.keep_alive_ack
ACK to a TCP keep-alive segment
tcp.analysis.lost_segment
Previous segment(s) not captured (common at capture start)
tcp.analysis.out_of_order
This frame is a (suspected) out_of_order segment
tcp.analysis.push_bytes_sent
How many bytes have been sent since the last PSH flag
tcp.analysis.push_bytes_sent == 12
tcp.analysis.retransmission
This frame is a (suspected) retransmission
tcp.analysis.reused_ports
A new tcp session is started with the same ports as an earlier session in this trace
tcp.analysis.rto
The RTO for this segment was
tcp.analysis.rto <= 1
tcp.analysis.rto_frame
RTO based on delta from frame
tcp.analysis.rto_frame == 100
tcp.analysis.spurious_retransmission
This frame is a (suspected) spurious retransmission
tcp.analysis.tfo_syn
TCP SYN with TFO Cookie
tcp.analysis.window_full
TCP window specified by the receiver is now completely full
tcp.analysis.window_update
TCP window update
tcp.analysis.zero_window
TCP Zero Window segment
tcp.analysis.zero_window_probe
TCP Zero Window Probe
tcp.analysis.zero_window_probe_ack
ACK to a TCP Zero Window Probe
tcp.connection.fin
Connection finish(FIN)
tcp.connection.rst
Connection reset(RST)
tcp.connection.sack
Connection establish acknowledge(SYN+ACK)
tcp.connection.syn
Connection establish request(SYN)
tcp.fin_retransmission
Retransmission of FIN from frame
tcp.option.len.invalid
Invalid length for option
tcp.option_len
Length
tcp.options
TCP Options
tcp.options
tcp.options.echo_value
TCP Echo Option
tcp.options.mss.absent
The SYN packet does not contain a MSS option
tcp.options.mss.present
The non-SYN packet does contain a MSS option
tcp.options.sack.count
TCP SACK Count
tcp.options.sack_le
TCP SACK Left Edge
tcp.options.sack_re
TCP SACK Right Edge
tcp.options.tfo
TCP Fast Open
tcp.options.tfo.cookie
Fast Open Cookie
tcp.options.tfo.request
Fast Open Cookie Request
tcp.options.md5
TCP MD5 signature
tcp.time_relative
Time relative to first frame in this TCP stream
tcp.time_delta
Time delta from previous frame in this TCP stream
tcp.payload
The TCP payload of this packet
tcp.pdu.last_frame
Last frame of this PDU
tcp.pdu.size
PDU Size
tcp.pdu.time
Time until the last segment of this PDU
tcp.reassembled.data
Reassembled TCP Data
tcp.reassembled.length
Reassembled TCP length
tcp.reassembled_in
Reassembled PDU in frame
tcp.reset_cause
Reset cause
tcp.segment
TCP segment
tcp.segment
tcp.segment.count
Segment count
tcp.segment.error
Reassembling error
tcp.segment_data
TCP segment data
tcp.segments
Reassembled TCP segments
data
Data
data
UDP
udp
User Datagram Protocol
udp
udp.srcport
Source Port
udp.srcport == 53354
udp.dstport
Destination Port
udp.dstport == 22313
udp.length
Length
udp.length == 16
udp.checksum
UDP Checksum
udp.checksum == 0xb4c0
udp.checksum.status
Checksum Status
udp.checksum.status == "Unverified"
udp.checksum.bad
Bad checksum
udp.stream
Stream index
udp.stream == 34
udp.time_relative
Time relative to first frame in this UDP stream
udp.time_delta
Time delta from previous frame in this UDP stream
udp.pdu.size
PDU Size
data
Data
data
HTTP
http
Hypertext Transfer Protocol
http
http.request.method
HTTP Request Method
http.request.method == "POST"
http.request.uri
HTTP Request-URI
http.request.uri == "/www/api/xxx"
http.request.version
HTTP Request HTTP-Version
http.request.version == "HTTP/1.1"
http.host
HTTP host
http.host == "www.baidu.com"
http.connection
HTTP Connection
http.connection == "keep-alive"
http.content_lenth_header
HTTP Content-Length header
http.content_length_header == "144"
http.user_agent
HTTP User-Agent header
http.user_agent == "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"
http.content_type
HTTP Content-Type
http.content_type == "application/x-www-form-urlencoded; charset=utf-8"
http.accept
HTTP Accept
http.accept == "*/*"
http.accept_encoding
HTTP Accept Encoding
http.accept_encoding == "gzip, deflate"
http.accept_language
HTTP Accept Language
http.accept_language == "zh-CN,zh;q=0.9"
http.request.full_uri
The full requested URI(including host name)
http.request.full_uri == "https://www.baidu.com/xxx/xxx"
http.response.version
HTTP Response HTTP-Version
http.response.version == "HTTP/1.1"
http.response.code
HTTP Response Status Code
http.response.code == 200
http.server
HTTP Server
http.server == "nginx"
http.time
Time since the request was sent
http.time >= 0.05
DNS
dns
Domain Name System
dns
dns.id
Identification of transaction
dns.id == 0xc4e1
dns.flags
Flags
dns.flags == 0x0100
dns.flags.response
Is the message a response?
dns.flags.response == 0
dns.count.queries
Number of queries in packet
dns.count.queries == 1
dns.qry.name
Query Name
dns.qry.name == "www.baidu.com"
dns.qry.type
Query Type
dns.qry.type == 1
dns.count.answers
Number of answers in packet
dns.count.answers == 2
dns.resp.name
Response Name
dns.resp.name == "www.baidu.com"
dns.resp.type
Response Type
dns.resp.type == 5
dns.resp.ttl
Response TTL
dns.resp.ttl == 993
dns.resp.len
Response Length
dns.resp.len == 22
dns.cname
Response Primary Name
dns.cname == "www.a.shifen.com"
dns.a
Response Address
dns.a == 180.101.49.11
dns.time
The time between the Query and the Response
dns.time >= 0.005
感谢阅读,更多技术文章可关注个人公众号:Echo Reply ,谢谢。
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
所有评论(0)