Like TCPDUMP, Ethereal supports very rich filters. The filter is divided into two categories. One is a Capture Filter. When the network traffic is large, it can filter noise data very efficiently; another category is display filter, you can catch from you. Filter noise data in all packets. In fact, because of a good filter requires very good network knowledge, unless it is very needed, half can not be filtered; I prefer to do not have a filter when I am crawling, and then use simple Display Filter. It is recommended that beginners avoid using filters. By the way, Ethereal's Capture Filter and Display Filter syntax are different, and the syntax of the Capture Filter can refer to TCPDump syntax.
In fact, Ethereal itself does not capture, it can only be used to parse the packet; to grab the packet, it needs to be used in PCAP. The implementation of PCAP below Windows is called WinPCAP, and now the highest stable version is 3.0. In Linux, PCAP is generally installed by default;
Common Capture Filter
Common DISPLAY FILTER
1. Operator:
EQ, == Equal
Ne,! = NOT Equal
GT,> Greater Than
LT, GE,> = Greater Than or equal to Le, <= Less Than or Equal TO Example: Udp.port == 10002 Sip.method == Invite 2. Search Contains protocol, package, including designated content Matches Perl Standard Expression Example: SIP Contains INVITE This will list packages containing the INVITE character in all SIP packages; Wsp.user_agent matches "(? i) CLDC" Find packets containing CLDC characters in Wsp.user_agent and is not case sensitive. (? Option) This expression is Perl expression, not all EthereAl versions support, check your version before using "with the pcre library"; 3. Common keyword Frame IP Eth UDP TCP HTTP Example: Frame .pkt_len> 100 packs of data length greater than 100 Ip.src == 192.168.214.12 The source address is 192.168.214.12 Ip.dst == www.yahoo.com The target address is www.yahoo.com package IP.Addr == 129.111.0.0/16 address range at 129.111. *. * Subnet package, similar to the Host of Capture Filter http.request.method == "Head" Find the request command in the HTTP package contains the bag containing Head http.request.method == "/ x48ead" is the same, just use / x48 to represent 'h' 4. Array operation [i: j] i = starting point, J = length [i-j] i = starting point, j = end point, included. [i] i = starting point, length 1 [: j] starting point equal to 0, length = j [i:] starting point = i, until the end Or directly examples: Eth.src [0: 3] == 00:00:83 The first 3 digits of Ethernet address http.content_type [0: 4] == "Text" Content_Type front four Frame [-4: 4] == 0.1.2 .3 starting point is negative indicates that the end point -4 length is 4, which is the last four, how is it flexible ~ 5. Logical operation And, && logical and OR, || Logical OR Not,! Logical Not I don't have much example, I should understand J 6. Bit operation Bitwise_and, & Bitwise and Example: TCP.FLAGS & 0x02 Filter all TCP SYN Packages More explanations for Filter or help: eThereal-filter.html As for the Filter of Capture, I don't have much to say, I can go to MAN TCPDUMPJ below Linux. It should be noted that Ethereal is based on a graphical interface, so if you use the UNIX workstation with SSH or Telnet, you may feel trouble. And if you plan to use TCPDUMP, as long as you open TCPDUMP's manual page, you will definitely, but it will step by it; worse, TCPDUMP's manual page only provides the most basic help. One way I usually use is to run TCPDUMP at the remote terminal, and minimize parameters. For example: tcpdump -i eth0 -s 1500 -w a.dmp This statement can be used in any case. Simply explained, -i eth0 is listening over the ETH0 interface, -s 1500 is a very important parameter, which refers to the first 1500 bytes of the captured packet, otherwise you may only see the packet before 68 One byte, because TCPDUMP's default capture length is 68, and -w a.dmp is to write the gripped data in A.dmp. After grabbing, CTL C, you can see A.dmp has been generated. Then use SFTP to this machine to use EthereAl parsing.
