在Wireshare中有两种Filter,Capture Filter是抓包时使用的Filter,它使用BFP (Berkeley Packet Filetr)语法,kernel直接支持这种语法,不符合条件的packet在抓取时已经被丢弃。tcpdump以及其他的许多抓包程序都支持BFP filter。
Display Filter是从已经抓取的packe中过滤,使用wirshark自己的语法。两种Fitler的语法不一致。
BFP Syntax # man pcap-filter
DisplayFilters Syntax # man wireshark-filter
在用tshark直接抓包(不使用 -r 参数)并过滤时,需要使用Capture Filter;在用tshark读取一个pcap文件时并过滤时,需要使用Display Filter。wireshare不支持读取pcap文件时使用Capture filter。例如,抓包时使用Capture Filter
# tshark -i wlan0 -w /tmp/test.pcap "tcp[13]&2==2 or tcp[13]&1==1 and host 46.51.216.138"
结果有7个packet:
# tshark -r /tmp/test.pcap Running as user "root" and group "root". This could be dangerous. 1 0.000000000 46.51.216.138 → 192.168.20.101 TCP 66 80 → 59906 [FIN, ACK] Seq=1 Ack=1 Win=227 Len=0 TSval=289495686 TSecr=9698518 2 0.000248704 192.168.20.101 → 46.51.216.138 TCP 66 59906 → 80 [FIN, ACK] Seq=1 Ack=2 Win=237 Len=0 TSval=9700003 TSecr=289495686 3 2.110604001 192.168.20.101 → 46.51.216.138 TCP 74 59914 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=9700531 TSecr=0 WS=128 4 3.109831761 192.168.20.101 → 46.51.216.138 TCP 74 [TCP Retransmission] 59914 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=9700781 TSecr=0 WS=128 5 3.340541693 46.51.216.138 → 192.168.20.101 TCP 74 80 → 59914 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1452 SACK_PERM=1 TSval=289496528 TSecr=9700531 WS=128 6 4.373172764 192.168.20.101 → 46.51.216.138 TCP 66 59914 → 80 [FIN, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=9701096 TSecr=289496528 7 4.735833090 46.51.216.138 → 192.168.20.101 TCP 66 80 → 59914 [FIN, ACK] Seq=1 Ack=2 Win=26880 Len=0 TSval=289496844 TSecr=9701096
再次读取这个文件,如果使用Capture Filter会报错
# tshark -r /tmp/test.pcap "tcp[13]&2==2 or tcp[13]&1==1 and host 46.51.216.138" Running as user "root" and group "root". This could be dangerous. tshark: "46.51.216.138" was unexpected in this context. Note: That display filter code looks like a valid capture filter; maybe you mixed them up?
这时候需要使用Display Filter:
# tshark -r /tmp/test.pcap "tcp.flags.syn==1 and ip.addr==46.51.216.138" Running as user "root" and group "root". This could be dangerous. 3 2.110604001 192.168.20.101 → 46.51.216.138 TCP 74 59914 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=9700531 TSecr=0 WS=128 4 3.109831761 192.168.20.101 → 46.51.216.138 TCP 74 [TCP Retransmission] 59914 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=9700781 TSecr=0 WS=128 5 3.340541693 46.51.216.138 → 192.168.20.101 TCP 74 80 → 59914 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1452 SACK_PERM=1 TSval=289496528 TSecr=9700531 WS=128
如果想在读取文件时使用Capture Filter,可以使用tcpdump转一下
# tcpdump -r /tmp/test.pcap -w /tmp/test_filtered.pcap "tcp[13]&2==2 and host 46.51.216.138" reading from file /tmp/test.pcap, link-type EN10MB (Ethernet) # tshark -r /tmp/test_filtered.pcap Running as user "root" and group "root". This could be dangerous. 1 0.000000 192.168.20.101 → 46.51.216.138 TCP 74 59914 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=9700531 TSecr=0 WS=128 2 0.999228 192.168.20.101 → 46.51.216.138 TCP 74 [TCP Retransmission] 59914 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=9700781 TSecr=0 WS=128 3 1.229938 46.51.216.138 → 192.168.20.101 TCP 74 80 → 59914 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1452 SACK_PERM=1 TSval=289496528 TSecr=9700531 WS=128