DOWNDLOAD

Unicorn Network Threat Analyzer

  • Capture network traffic
  • Troubleshoot Wired & Wireless Network
  • Analyze network threats
Read More…
Free Downlaod

Wireshark Capture Filter: A Complete Guide

AndyHuang

Hello everyone, nice to see you again. I am your friend Quanzhanjun.

Wireshark provides two kinds of filters:

Capture filter: Set the filter conditions before capturing packets, and then only capture the packets that meet the conditions.

Display filter: Set filter conditions in the captured packet set to hide packets that you do not want to display and only display packets that meet the conditions.

It should be noted that the syntax used by these two filters is completely different. Just think about it and you will know that it is not Wireshark but WinPcap that captures the network card data. Of course, it must follow the rules of WinPcap. The display filter is Wireshark’s screening of the captured data.

The main reason to use capture filters is performance. If you know that you don’t need to analyze a certain type of traffic, you can simply filter it out with a capture filter, saving processor resources that would otherwise be used to capture those packets. Using capture filters is particularly useful when processing large amounts of data.

The initial interface of the new version of Wireshark is very simple, and it mainly provides two functions: first set the capture filter, and then select the network card responsible for packet capture. This shows the importance of capture filters.

Wireshark intercepts all data accessed through the network card without setting any proxy

Wireshark cannot intercept local loopback access requests, i.e. 127.0.0.1 or localhost

Display Filters:

The following is the interception of http requests in Wireshark. Note that https is not included.

http.request.uri contains “product”

Requests that contain product in the link address, not including the domain name

http.host==shanghai.rongzi.com

Filter Domain Names

http.host contains rongzi.com

More fuzzy filtering, can have multiple second-level domain names

http.content_type ==”text/html”

content_type type filtering

http.request.uri==”/product/”

Complete address filtering, if there are parameters, it is not suitable to filter like this

http.request.method==”GET”

tcp.port==80

http && tcp.port==8613 or tcp.port==8090 or tcp.port==8091

ip.dst==42.159.245.203

collect:

http.host==magentonotes.com

http.host contains magentonotes.com//Filters the http data packets passing through the specified domain name. The host value here is not necessarily the domain name in the request

http.response.code==302

//Filter packets with http response status code 302

http.response==1

//Filter all http response packets

http.request==1

//Filter all http requests, it seems that you can also use http.request

http.request.method==POST//Wireshark filters all http request packets whose request method is POST. Note that POST is capitalized.

http.cookie contains guid //Filters the http packets containing the specified cookie

http.request.uri==”/online/setpoint” //Filter the request URI, the value is the part after the domain name

http.request.full_uri==”http://task.browser.360.cn/online/setpoint”//To filter the entire URL including the domain name, you need to use http.request.full_uri

http.server contains “nginx” //Filter packets containing the character nginx in the server field of the http header

http.content_type== “text/html” //Filters HTTP responses and post packets whose content_type is text/html, that is, filters HTTP packets based on file type

http.content_encoding==”gzip” //Filter http packets whose content_encoding is gzip

http.transfer_encoding==”chunked” //Filter according to transfer_encoding

http.content_length== 279http.content_length_header== “279″//Filter based on the value of content_length

http.server//Filter all packets containing the server field in the http header

http.request.version== “HTTP/1.1” //Filter HTTP/1.1 version http packets, including requests and responses

http.response.phrase==”OK” //Filter phrase in http response

Snap Filters:

Capture –> Capture Filter

Capture –> Options –>

Click Start to begin capturing data.

Through testing, it is found that the above use case uses the domain name, but the actual use is the IP, because many different domain names, but the data of the same IP can also be captured!

For specific rules, please see the link below, which contains many examples.

Wireshark captures mysql statements:

mysql.query contains “SELECT”

All mysql statement contents are filtered:

mysql contains “FD171290339530899459”

Filter data in tcp

tcp.payload contains “sendAppPushMsg”

Publisher: Full-stack Programmer Stack Leader, please indicate the source for reprinting: https://javaforall.cn/158474.html Original link: https://javaforall.cn

Related posts:

  1. Wireshark Packet Capture and Filters Tutorial for Beginners
  2. EVE-NG SecureCRT Setup Made Simple
  3. Diagnose TCP Problems with Packet Capture Techniques
  4. Nsenter Command: Debug Container Networks with Tcpdump