132 lines
2.7 KiB
Markdown
132 lines
2.7 KiB
Markdown
# Wireshark
|
||
|
||
## 一、基本语法
|
||
|
||
基本使用方法,及包过滤规则
|
||
|
||
### 1、过滤IP,如来源IP或者目标IP等于某个IP
|
||
|
||
```
|
||
ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107
|
||
|
||
ip.addr eq 192.168.1.107 //显示来源IP和目标IP。
|
||
```
|
||
|
||
|
||
|
||
### 2、过滤端口
|
||
|
||
```
|
||
tcp.port eq 80 // 显示来源和目标都是80的端口
|
||
|
||
tcp.port == 80
|
||
|
||
tcp.port eq 2722
|
||
|
||
tcp.port eq 80 or udp.port eq 80
|
||
|
||
tcp.dstport == 80 // 只显tcp协议的目标端口80
|
||
|
||
tcp.srcport == 80 // 只显tcp协议的来源端口80
|
||
|
||
udp.port eq 15000 //udp同样适用
|
||
|
||
tcp.port >= 1 and tcp.port <= 80 //过滤端口范围
|
||
```
|
||
|
||
### 3、过滤协议
|
||
|
||
```
|
||
tcp、udp、arp、icmp、http、smtp、ftp、dns、msnms、ip、ssl、oicq、bootp
|
||
排除arp包,如!arp 或者 not arp
|
||
```
|
||
|
||
### 4、过滤MAC
|
||
|
||
```
|
||
eth.dst == A0:00:00:04:C5:84 // 过滤目标mac
|
||
|
||
eth.src eq A0:00:00:04:C5:84 // 过滤来源mac
|
||
|
||
eth.dst==A0:00:00:04:C5:84
|
||
|
||
eth.dst==A0-00-00-04-C5-84
|
||
|
||
eth.addr eq A0:00:00:04:C5:84 // 过滤来源MAC和目标MAC都等于A0:00:00:04:C5:84的
|
||
```
|
||
|
||
### 5、http模式过滤
|
||
|
||
```
|
||
http.request.method == “GET” //过滤GET请求
|
||
|
||
http.request.method == “POST” //过滤POST请求
|
||
|
||
http.request.url == “/img/1.jpg” //过滤url
|
||
|
||
http contains “GET” //过滤数据包的内容
|
||
|
||
http contains “HTTP/1.” //过滤数据包的内容
|
||
```
|
||
|
||
#### GET包
|
||
|
||
```
|
||
http.request.method == “GET” && http contains “Host: “
|
||
|
||
http.request.method == “GET” && http contains “User-Agent: “
|
||
```
|
||
|
||
#### POST包
|
||
|
||
```
|
||
http.request.method == “POST” && http contains “Host: “
|
||
|
||
http.request.method == “POST” && http contains “User-Agent: “
|
||
```
|
||
|
||
#### 响应包
|
||
|
||
```
|
||
http contains “HTTP/1.1 200 OK” && http contains “Content-Type: “
|
||
|
||
http contains “HTTP/1.0 200 OK” && http contains “Content-Type: “
|
||
```
|
||
|
||
一定包含如下
|
||
|
||
Content-Type:
|
||
|
||
### 6、TCP参数过滤
|
||
|
||
```
|
||
tcp.flags 显示包含TCP标志的封包。
|
||
|
||
tcp.flags.syn == 0x02 显示包含TCP SYN标志的封包。
|
||
|
||
tcp.window_size == 0 && tcp.flags.reset != 1
|
||
```
|
||
|
||
### 7、包内容过滤
|
||
|
||
matches(匹配)和contains(包含某字符串)语法
|
||
|
||
ip.src==192.168.1.107 and udp[8:5] matches “\\x02\\x12\\x21\\x00\\x22″
|
||
|
||
ip.src==192.168.1.107 and udp contains 02:12:21:00:22
|
||
|
||
ip.src==192.168.1.107 and tcp contains “GET”
|
||
|
||
udp contains 7c:7c:7d:7d 匹配payload中含有0x7c7c7d7d的UDP数据包,不一定是从第一字节匹配。
|
||
|
||
### 8.DHCP
|
||
|
||
注意:DHCP协议的检索规则不是dhcp/DHCP, 而是bootp
|
||
|
||
以寻找伪造DHCP服务器为例,介绍Wireshark的用法。在显示过滤器中加入过滤规则,
|
||
|
||
显示所有非来自DHCP服务器并且bootp.type==0x02(Offer/Ack/NAK)的信息:
|
||
|
||
bootp.type==0x02 and not ip.src==192.168.1.1
|
||
|