Network Analysis Using Wireshark 2 Cookbook(Second Edition)
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

How it works...

The general structure of an offset filter is:

proto [Offset in bytes from the start of the header : Number of bytes to check]

Common examples for string matching filters are:

  • For filtering destination TCP ports between 50 and 100, configure (tcp[2:2] > 50 and tcp[2:2] < 100). Here we count two bytes from the beginning of the TCP header, and check the next two bytes are lower than 100 and higher than 50:
  • For checking a TCP window size smaller than 8192, configure tcp[14:2] < 8192. Here we count two bytes from the beginning of the TCP header, and check the next two bytes (the window size) are less than 8192:
  • For filtering only HTTP GET packets, configure port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):3] = 0x474554. Here, tcp[12:1] & 0xf0) >> 2 gives out the TCP header length. Right after it, go and check the strings G, E, T (that is, the HTTP GET command) which have the hex values 47, 45, 54 in the packet bytes pane just after the TCP header.

There's a nice string-matching capture filter generator at: http://www.wireshark.org/tools/string-cf.html.

上一章目录下一章