ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]
ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]
http or dns [sets a filter to display all http and dns]
tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]
tcp.flags.reset==1 [displays all TCP resets]
http.request [displays all HTTP GET requests]
tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]
!(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]
udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset]
tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]
Capture only traffic to or from IP address
host xxx.xxx.xxx.xxx |
net xxx.xxx.0.0/24 |
net xxx.xxx.0.0/24 |
src net 192.168.0.0/24 |
dst net 192.168.0.0/24 |
port xx |
host www.myhostname.com and not (port xx or port yy) |
tcp portrange 1800-1880 |
ip
Suppose there is a requirement to filter only those packets that are
HTTP packets and have source ip as ’192.168.1.4′. Use this filter:http&&ip.src==192.168.1.4
-
ip.addr==192.168.0.1 --- Show all traffic from and to 192.168.0.1
-
tcp.port==80 --- Show all the traffic with 80 as a source or destination port
-
ip.src==192.168.0.1 and ip.dst==10.100.1.1 --- Show all the traffic that starts from 192.168.0.1 and has as target 10.100.1.1
-
ftp --- Show only the traffic for the ftp protocol
-
http --- Show only the traffic for the http protocol
-
dns --- Show only the traffic for the dns protocol
-
http.request.uri contains string --- Show all http traffic where the url contains the word "string."
| eth.addr | source or destination mac-address | eth.addr == 00:1a:6b:ce:fc:bb |
| eth.src | source mac-address | eth.src == 00:1a:6b:ce:fc:bb |
| eth.dst | destination mac-address | eth.dst == 00:1a:6b:ce:fc:bb |
| arp.dst.hw_mac | target mac-address | arp.dst.hw_mac == 00:1a:6b:ce:fc:bb |
| arp.dst.proto_ipv4 | target IPv4 address | arp.dst.proto_ipv4 == 10.10.10.10 |
| arp.src.hw_mac | sender mac-address | arp.src.hw_mac == 00:1a:6b:ce:fc:bb |
| arp.src.proto_ipv4 | sender IPv4 address | arp.src.proto_ipv4 == 10.10.10.10 |
| vlan.id | vlan ID | vlan.id == 16 |
| ip.addr | source or destination IPv4 address | ip.addr == 10.10.10.10 |
| ip.dst | destination IPv4 address | ip.addr == 10.10.10.10 |
| ip.src | source IPv4 address | ip.src == 10.10.10.10 |
| ip.proto | IP protocol (decimal) | ip.proto == 1 |
| ipv6.addr | source or destination IPv6 address | ipv6.addr == 2001::5 |
| ipv6.src | source IPv6 address | ipv6.addr == 2001::5 |
| ipv6.dst | destination IPv6 address | ipv6.dst == 2001::5 |
| tcp.port | source or destination TCP port | tcp.port == 20 |
| tcp.dstport | destination TCP port | tcp.dstport == 80 |
| tcp.srcport | source TCP port | tcp.srcport == 60234 |
| udp.port | source or destination UDP port | udp.port == 513 |
| udp.dstport | destination UDP port | udp.dstport == 513 |
| udp.srcport | source UDP port | udp.srcport == 40000 |
| fr.dlci | Frame-Relay DLCI number | fr.dlci == 112 |
| icmp.type | ICMP type code (decimal) | icmp.type == 8 |
| vtp.vlan_info.vlan_name | VLAN name | vtp.vlan_info.vlan_name == TEST |
| bgp.originator_id | BGP id (IPv4 address) | bgp.originator_id == 192.168.10.15 |
| bgp.next_hop | BGP Next Hop (IPv4 address) | bgp.next_hop == 192.168.10.15 |
| rip.ip | RIP IPv4 address | rip.ip == 200.0.2.0 |
| ospf.advrouter | OSPF advertising router ID | ospf.advrouter == 192.168.170.8 |
| eigrp.as | EIGRP autonomous system number | eigrp.as == 100 |
| hsrp.virt_ip | HSRP virtual IP address | hsrp.virt_ip == 192.168.23.250 |
| vrrp.ip_addr | VRRP virtual IP address | vrrp.ip_addr == 192.168.23.250 |
| zebra.dest4 | ZEBRA destination IPv4 address | zebra.dest4 == 10.10.10.10 |
| wlan.addr | source or destination MAC address | wlan.addr == 00:1a:6b:ce:fc:bb |
| wlan.sa | source MAC address | wlan.sa == 00:1a:6b:ce:fc:bb |
| wlan.da | destination MAC address | wlan.da == 00:1a:6b:ce:fc:bb |
- eth.addr/eth.dst.eth.src [MAC]
- rip.auth.passwd [RIP password]
- tcp.port/tcpdstport/tcpsrcport [TCP ports]
- tcp.flags [TCP flags]
- udp.port/udpdstport/udp.srcport [UDP Ports]
- http.authbasic [Basic Authentication]
- http.www_authentication [HTTP Authentication]
- http.data [HTTP Data portion]
- http.cookie [HTTP cookie]
- http.referer [HTTP referer]
- http.server [HTTP server]
- http.user_agent [HTTP user agent]
- wlan.fc.type eq 0 [802.11 management frame]
- wlan.fc.type eq 1 [802.11 control frame]
- wlan.fc.type eq 2 [802.11 data frame]
- wlan.fc.type_subtype eq 0 (1=response) [802.11association request]
- wlan.fc.type_subtype eq 2 (3=response) [802.11reassociation request]
- wlan.fc.type_subtype eq 4 (5=response) [802.11probe request]
- wlan.fc.type_subtype eq 8 [802.11 beacon frame]
- wlan.fc.type_subtype eq 10 [802.11 disassociate]
- wlan.fc.type_subtype eq 11 (12=deauthenticate) [802.11 authenticate]
0 Comments