Many users don’t know how to use the filter when operating the wireshark software? The article brought to you today is about how to use the wireshark filter. If you still don’t know, let’s learn it with the editor.
Filters are the core function of Wireshark, and they are also the most commonly used function.
Wireshark provides two filters: packet capture filter and display filter. The two filters have different filtering ideas.
Packet capture filter: The focus is on the action. I capture only the necessary packets and not the unnecessary ones.
Display filter: The focus is on the display of data. The package has been captured, but it is not displayed.
1. Packet capture filter
The packet capture filter is used before packet capture. Its filtering has a basic syntax format: BPF syntax format.
1)BPF syntax
BPF (full name: Berkeley Packet Filter), called Berkeley Packet Filter in Chinese, has four core elements: type, direction, protocol and logical operator.
Type: host, network segment, port
Direction Dir: source address (src), destination address (dst)
Protocol Proto: various network protocols, such as: tcp, udp, http
Logical operators: AND (&&), OR (||), NOT (!)
The four elements can be combined freely, such as:
src host 192.168.31.1: Capture data packets with source IP 192.168.31.1
tcp || udp: Capture data packets of TCP or UDP protocol
2) How to use
When using a packet capture filter, you need to stop capturing packets first, and then start capturing packets after setting the filtering rules.
To stop packet capture, click the capture button on the toolbar and click Options.
In the pop-up capture options interface, enter the filter statement in the bottom input box and click Start to capture packets.
Tips: The input box of the packet capture filter will automatically detect the syntax. Green means the syntax is correct, and red means the syntax is wrong.
2. Display filters
The display filter is used after packet capture or during packet capture.
1) Grammatical structure
The syntax of the display filter contains 5 core elements: IP, port, protocol, comparison operator and logical operator.
IP address: ip.addr, ip.src, ip.dst
Port: tcp.port, tcp.srcport, tcp.dstport
Protocol: tcp, udp, http
Comparison operators: > < == >= <= !=
Logical operators: and, or, not, xor (one and only one condition is satisfied)
The 5 core elements can be freely combined, such as:
ip.addr == 192.168.32.121: Display the data packet with IP address 192.168.32.121
tcp.port == 80: Display packets with port 80
2) How to use
Enter the filter statement in the filter column, and the modification will take effect immediately.
Tip: The filter column has an automatic error correction function. Green indicates correct grammar and red indicates incorrect grammar.
The above is the method of using filters when using the wireshark software that the editor shared with you today. I hope this method tutorial can help you.
