[wireshark] ip filter

查ip 时,使用 ip==10.224.37.18 发现无效
使用 ip.dst, 查到了

Match destination: ip.dst == x.x.x.x
Match source: ip.src == x.x.x.x
Match either: ip.addr == x.x.x.x
Match either: ip.host == x.x.x.x
OR condition:

(ip.src==192.168.2.25)||(ip.dst==192.168.2.25)

AND condition:

(ip.src==192.168.2.25) && (ip.dst==74.125.236.16)

Actually for some reason wireshark uses two different kind of filter syntax:

  1. one on display filter;
    --only useful to find certain traffic just for display purpose only. its like you are interested in all trafic but for now you just want to see specific. like above syntax. ip.dst/src/addr
  2. other on capture filter on the input window: capture filter for selected interface:
    -- host x.x.x.x

ip.addr == x.x.x.x && ip.addr == x.x.x.x 
(or ip.src == xxxx && ip.dst == xxxx - for a destination)

tcp.portxxx
tcp.flags.reset
1
tcp contains xxx
tcp.seq == x
tcp.stream eq X
tcp.flags.push == 1
http.request

!(arp or icmp or dns)
Designed to filter out certain types of protocols, it masks out arp, icmp, dns, or other protocols you think are not useful. This will allow you to focus of what traffic interests you.

udp contains xx:xx:xx
dns.flags.rcode != 0

posted @ 2019-10-22 18:35  vivi~  阅读(297)  评论(0编辑  收藏  举报